Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
YAFDHCP(1)		     Yet Another Flowmeter		    YAFDHCP(1)

NAME
       yaf dhcp	fingerprinting

DESCRIPTION
       There are several ways to perform Operating System Identification. Many
       tools, based on the well-known p0f tool,	look at	characteristics	in the
       TCP/IP packet headers. DHCP fingerprinting is another way of performing
       OS identification. By looking at	the order of the DHCP options in the
       DHCP requests from the Operating	System's DHCP client, it may be
       possible	to identify the	client's OS version.  The yaf DHCP
       fingerprinting plugin does exactly that.	 For flows that	yaf has
       labeled as DHCP,	yaf will export	the DHCP options, if available,	from
       the payload captured for	that flow.  yaf	specifically exports the
       parameter list in Option	55.  Option 55 requests	a list of parameters.
       The order in which they are requested can usually identify the OS of
       the requesting IP address.

       yaf also	exports	the DHCP Vendor	Class Identifier, if available.	 The
       Vendor Class ID is included in DHCP Option 60 and often provides
       specific	information about the hardware of the sender.  The Vendor ID
       can often assist	in identifying an OS.  yaf does	not match an OS	based
       on the vendor ID, it simply exports the information if it is available.

       Fingerbank (www.fingerbank.org) is the official website for DHCP
       fingerprints.  Previously, Fingerbank distributed a
       dhcp_fingerprints.conf file that	contained the list of options that
       correspond to each OS. They now distribute the list of fingerprints in
       the form	of an SQLite database or you can query the fingerprints	online
       or through their	free public API. Due to	this change, yaf now exports
       the list	of DHCP	options	and the	vendor code (if	available) instead of
       comparing to the	fingerprint configuration file.	 However, <yaf>	still
       distributes an older version of the dhcp_fingerprints.conf and it can
       be used if it is	provided on the	command	line or	through	the
       configuration file to the "--plugin-conf" option.  yaf will be able to
       parse any INI config file that follows the format of the
       dhcp_fingerprints.conf file.

       This feature is presently experimental and the DHCP data	is not
       collected by the	SiLK tools.  Use an IPFIX mediator, such as
       super_mediator(1), to collect and view the DHCP fields exported by yaf.
       yaf must	be configured for application labeling and plugin support to
       use this	plugin.

DHCP Template Format
       yaf's output consists of	an IPFIX message stream.  yaf uses a variety
       of templates for	IPFIX data records.  yaf uses a	subTemplateMultiList
       to export optional information elements,	such as	Deep Packet Inspection
       and p0f fields, related to the flow.  Below is the format of the	DHCP
       fingerprinting record that will be exported if Option 55	is present or
       a vendor	class ID (Option 60) was present in the	packet.

       dhcpOption CERT (PEN 6871) IE 297, 1 octet, unsigned, basicList
	 The list of requested parameters found	in DHCP	Option 55.

       dhcpVendorCode CERT(PEN 6871) IE	243, variable length
	 The DHCP vendor class ID found	in Option 60 of	the DHCP packet.  This
	 field may help	further	identify the operating system of the sender.

       dhcpOption CERT (PEN 6871) IE 297, 1 octet, unsigned, basicList
	 The list of requested parameters found	in DHCP	Option 55 for the
	 reverse flow.	This will only be exporter if the
	 reversePacketTotalCount field is greater than 0 and Option 55 or
	 Option	60 is present.

       reverseDhcpVendorCode CERT (PEN 6871) IE	16899, variable	length
	 The DHCP vendor class ID for the reverse flow.	 This will only	be
	 exported if the reversePacketTotalCount field is greater than 0 and
	 either	Option 55 or Option 60 is present.

       If a fingerprinting configuration file is provided to "--plugin-conf",
       then yaf(1) will	export the following fields:

       dhcpFingerPrint CERT (PEN 6871) IE 242, variable	length
	 The DHCP fingerprint as matched from the dhcp_fingerprint.conf	file.
	 This will be the description of the OS	as found in the	conf file.

       dhcpVendorCode CERT (PEN	6871) IE 243, variable length
	 The DHCP vendor class ID found	in Option 60 of	the DHCP packet.  This
	 field may help	further	identify the operating system of the sender.

       reverseDhcpFingerPrint CERT (PEN	6871) IE 16898,	variable length
	 The DHCP fingerprint for the reverse flow.  This will only be
	 exported if the reversePacketTotalCount field is greater than 0.

       reverseDhcpVendorCode CERT (PEN 6871) IE	16899, variable	length
	 The DHCP vendor class ID for the reverse flow.	 This will only	be
	 exported if the reversePacketTotalCount field is greater than 0.

Examples
       Running YAF with	DHCP fingerprinting:

       "yaf --in eth0 --out /data/yaf/yaf --rotate 120
       --plugin-name=/usr/local/lib/yaf/dhcp_fp_plugin.la --applabel
       --max-payload=500 --live	pcap"

       Running YAF with	DPI and	DHCP fingerprinting:

       "yaf --in eth0 --out localhost --ipfix tcp --ipfix-port=18000
       --plugin-name=/usr/local/lib/yaf/dpacketplugin.la,/usr/local/lib/yaf/dhcp_fp_plugin.la
       --applabel --max-payload=1024 --live pcap"

       Running YAF with	DHCP fingerprinting and	a fingerprint configuration
       file:

       "yaf --in eth0 --out /data/yaf/yaf --rotate 120
       --plugin-name=/usr/local/lib/yaf/dhcp_fp_plugin.la --applabel
       --max-payload=500 --live	pcap
       --plugin-conf=/usr/local/etc/dhcp_fingerprints.conf"

AUTHORS
       CERT Network Situational	Awareness Group	Engineering Team,
       http://www.cert.org/netsa

SEE ALSO
       yaf(1), yafscii(1), yafdpi(1), applabel(1), super_mediator(1)

2.11.0				  29-Aug-2020			    YAFDHCP(1)

NAME | DESCRIPTION | DHCP Template Format | Examples | AUTHORS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=yafdhcp&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help