Can signature analysis of DHCP client behaviour identify WinXP clients?

A.L.M.Buxey at A.L.M.Buxey at
Mon Nov 11 14:54:13 UTC 2013


> I'm trying to chase down the residual WinXP boxes on our campus,
> and wonder whether signature analysis of DHCP requests can help.

might work for you.... eg using the fingerprints:

subclass "VendorIdent" 1:f:3:6:2c:2e:2f:1f:21:f9:2b {
	 set os-ident ="Windows/XP";
subclass "VendorIdent" 6:3:1:f:42:43:d:2c {
	 set os-ident ="Windows/XP 2";
subclass "VendorIdent" 1:3:6:f:33:2c {
	 set os-ident ="Windows/XP SP2 (hotfix 885270)";
subclass "VendorIdent" 6:3:1:f:42:43:d:2c:c {
	 set os-ident ="Windows/XP pro";

check out - PacketFence NAC system also
uses these. we started using these fingerprints way back when it was a Finnish
project IIRC.

you might also want to look at using any internet web server or proxy - if you log the
Agent ten they'll also stick out quite nicely...handy if you use eg squid proxy
or have internal servers that all people generally use - eg apache powered intranet.


More information about the dhcp-users mailing list