How does client fingerprinting work?
QuestionHow client fingerprinting happens?
Troubleshooting StepsWhen troubleshooting Client finger printing issue it is important to get a packet capture of the client in question as it is booting up or connecting and going through the DHCP process.
The easy way to do this is to put the AP that the client is connected to into Packet capture mode and put the capture mode into streaming mode and use the remote packet capture option on Wireshark to capture traffic on the BR0 interface.
ResolutionWhat is client fingerprinting?
Client fingerprinting is a feature effective from 9.4 firmware, it’s a technique used by ZoneDirector which attempts to identify client devices by their Operating System, device type and Host Name, if available. This makes identifying client devices easier in the Dashboard, Client Monitor and Client Details screens as shown below.
How client fingerprinting happens?
The zone director captures the clients OS when client sends a DHCP request through the access points. The client finger printing can be enabled by clicking it in the advanced WLAN option.
How is the OS information captured?
The AP records the OS information from the client by capturing the DHCP request packet, the OS information is found in the DHCP option 60 if present and parameter order list in Option 55. Some DHCP request will have DHCP Option 60 and some do not, but all will have Option 55.
If DHCP Option 60 is present we use that information along with the parameter list in Option 55 to identify the OS type
a closer look into the DHCP packet reveals the following:
Packet capture of DHCP request, the client used in this capture is windows XP:
This capture show Option 60: Vendor class identifier = "MSFT 5.0"
Option 55 Parameter order: 1,15,3,6,44,46,47,31,33,249,43
IF Option 55 had the following parameter order instead: 1,15,3,6,44,46,47,31,33,43 (Note parameter 249 is not present)
This client would have been identified as a "Windows 2000"
Attachment 1Client fingerprinting.docx
November 17, 2016 01:44 PM (almost 3 years ago)
Answer Attachment 1