YAFDHCP(1) Yet Another Flowmeter YAFDHCP(1)NAME
yaf dhcp fingerprinting
DESCRIPTION
There are several ways to perform Operating System Identification. Many
tools, based on the well-known p0f tool, look at characteristics in the
TCP/IP packet headers. DHCP fingerprinting is another way of performing
OS identification. By looking at the order of the DHCP options in the
DHCP requests from the Operating System's DHCP client, it may be
possible to identify the client's OS version. The yaf DHCP
fingerprinting plugin does exactly that. For flows that yaf has
labeled as DHCP, yaf will export the DHCP options, if available, from
the payload captured for that flow. yaf specifically exports the
parameter list in Option 55. Option 55 requests a list of parameters.
The order in which they are requested can usually identify the OS of
the requesting IP address.
yaf also exports the DHCP Vendor Class Identifier, if available. The
Vendor Class ID is included in DHCP Option 60 and often provides
specific information about the hardware of the sender. The Vendor ID
can often assist in identifying an OS. yaf does not match an OS based
on the vendor ID, it simply exports the information if it is available.
Fingerbank (www.fingerbank.org) is the official website for DHCP
fingerprints. Previously, Fingerbank distributed a
dhcp_fingerprints.conf file that contained the list of options that
correspond to each OS. They now distribute the list of fingerprints in
the form of an SQLite database or you can query the fingerprints online
or through their free public API. Due to this change, yaf now exports
the list of DHCP options and the vendor code (if available) instead of
comparing to the fingerprint configuration file. However, <yaf> still
distributes an older version of the dhcp_fingerprints.conf and it can
be used if it is provided on the command line or through the
configuration file to the "--plugin-conf" option. yaf will be able to
parse any INI config file that follows the format of the
dhcp_fingerprints.conf file.
This feature is presently experimental and the DHCP data is not
collected by the SiLK tools. Use an IPFIX mediator, such as
super_mediator(1), to collect and view the DHCP fields exported by yaf.
yaf must be configured for application labeling and plugin support to
use this plugin.
DHCP Template Format
yaf's output consists of an IPFIX message stream. yaf uses a variety
of templates for IPFIX data records. yaf uses a subTemplateMultiList
to export optional information elements, such as Deep Packet Inspection
and p0f fields, related to the flow. Below is the format of the DHCP
fingerprinting record that will be exported if Option 55 is present or
a vendor class ID (Option 60) was present in the packet.
dhcpOption CERT (PEN 6871) IE 297, 1 octet, unsigned, basicList
The list of requested parameters found in DHCP Option 55.
dhcpVendorCode CERT(PEN 6871) IE 243, variable length
The DHCP vendor class ID found in Option 60 of the DHCP packet. This
field may help further identify the operating system of the sender.
dhcpOption CERT (PEN 6871) IE 297, 1 octet, unsigned, basicList
The list of requested parameters found in DHCP Option 55 for the
reverse flow. This will only be exporter if the
reversePacketTotalCount field is greater than 0 and Option 55 or
Option 60 is present.
reverseDhcpVendorCode CERT (PEN 6871) IE 16899, variable length
The DHCP vendor class ID for the reverse flow. This will only be
exported if the reversePacketTotalCount field is greater than 0 and
either Option 55 or Option 60 is present.
If a fingerprinting configuration file is provided to "--plugin-conf",
then yaf(1) will export the following fields:
dhcpFingerPrint CERT (PEN 6871) IE 242, variable length
The DHCP fingerprint as matched from the dhcp_fingerprint.conf file.
This will be the description of the OS as found in the conf file.
dhcpVendorCode CERT (PEN 6871) IE 243, variable length
The DHCP vendor class ID found in Option 60 of the DHCP packet. This
field may help further identify the operating system of the sender.
reverseDhcpFingerPrint CERT (PEN 6871) IE 16898, variable length
The DHCP fingerprint for the reverse flow. This will only be
exported if the reversePacketTotalCount field is greater than 0.
reverseDhcpVendorCode CERT (PEN 6871) IE 16899, variable length
The DHCP vendor class ID for the reverse flow. This will only be
exported if the reversePacketTotalCount field is greater than 0.
Examples
Running YAF with DHCP fingerprinting:
"yaf --in eth0 --out /data/yaf/yaf --rotate 120
--plugin-name=/usr/local/lib/yaf/dhcp_fp_plugin.la --applabel
--max-payload=500 --live pcap"
Running YAF with DPI and DHCP fingerprinting:
"yaf --in eth0 --out localhost --ipfix tcp --ipfix-port=18000
--plugin-name=/usr/local/lib/yaf/dpacketplugin.la,/usr/local/lib/yaf/dhcp_fp_plugin.la
--applabel --max-payload=1024 --live pcap"
Running YAF with DHCP fingerprinting and a fingerprint configuration
file:
"yaf --in eth0 --out /data/yaf/yaf --rotate 120
--plugin-name=/usr/local/lib/yaf/dhcp_fp_plugin.la --applabel
--max-payload=500 --live pcap
--plugin-conf=/usr/local/etc/dhcp_fingerprints.conf"
AUTHORS
CERT Network Situational Awareness Group Engineering Team,
http://www.cert.org/netsa
SEE ALSOyaf(1), yafscii(1), yafdpi(1), applabel(1), super_mediator(1)2.8.0 19-Feb-2016 YAFDHCP(1)
