Can signature analysis of DHCP client behaviour identify WinXP clients?

Niall O'Reilly niall.oreilly at
Mon Nov 11 17:38:47 UTC 2013

	Thanks to everyone who sent suggestions.

	I have the bit pretty-well between my teeth now, so have enough
	helpful information for now.

On 11 Nov 2013, at 13:27, Jean-Francois.TremblayING at wrote:

> DHCP fingerprinting based on DHCPv4 options, both their presence 
> and their order, proved to be surprinsingly effective and much 
> less intrusive than scanning. 


	Setting up a scanning infrastructure with spanned ports and
	boxes to listen on them isn't trivial on our network, even if
	some of the boxes could be virtual ones.

> For example, XP SP3 seems to always request these options, in 
> exactly this order: 1,15,3,6,44,46,47,31,33,249,43

On 11 Nov 2013, at 14:54, A.L.M.Buxey at wrote:

> check out - PacketFence NAC system also
> uses these. we started using these fingerprints way back when it was a Finnish
> project IIRC.

	I'll have some fun (?) cross-checking that against what I'm
	seeing.  I've decided to log some useful DHCP fields and options
	wvt offline analysis, rather than setting lease variables.  My
	current configuration fragment is shown below.  I prefer this to
	growing a subclass list, as it lets me gather new fingerprints
	rather than just known ones.

    on commit {
    log (info, concat (
    concat(" from ", binary-to-ascii(16, 8, ":", substring(hardware, 1, 16))),
    pick-first-value(concat(" rqpl ", binary-to-ascii(10, 8, ",",
    option dhcp-parameter-request-list)), ""),
    pick-first-value(concat(" rqlt ", binary-to-ascii(10, 32, "",
    option dhcp-lease-time)), ""),
    pick-first-value(concat(" vcid ", option vendor-class-identifier), ""),
    "" )); }
	Thanks and best regards,
	Niall O'Reilly

More information about the dhcp-users mailing list