Table of Contents
Advertisement
OS Fingerprinting and NAT Detection
OS Fingerprinting and NAT Detection
OS fingerprinting is the process of determining the identity of a remote host operating system by
analyzing packets from that host. It detects the operating system used by the subscriber and whether the
subscriber is present in a NAT environment by analyzing subscriber traffic. NAT detection is based on
whether the same subscriber is connecting using multiple operating systems.
An encrypted fingerprint file that has the list of OS signatures is packaged with each SCOS release.
Signature files are updated as needed, and the updated signature files are available on cisco.com.
The detected OS type is reported using the following mechanisms:
•
•
•
•
Restrictions and Limitations
Due to the nature of the Cisco SCE platform, there are certain limitations to the scope of the OS
fingerprinting and NAT detection feature:
•
•
•
•
•
•
•
Cisco SCE 8000 10GBE Software Configuration Guide
6-30
RDRs—The subscriber OS type is reported in the Real-time Subscriber Usage RDR (SUR). These
RDRs can be stored by the CM and interpreted using Insight.
CLI—The subscriber OS type is available through OS fingerprinting and party info commands.
VSA—Over mobile interfaces, the OS type is sent as a VSA in CCR-U over Gx.
SCA BB Console—The OS type is available through an API that displays the OS type on the SCA
BB console as part of the status of a subscriber.
OS information is available only for logged-in and active subscribers.
OS fingerprinting is not done continuously for any subscriber. If a subscriber changes OS or moves
to a NAT environment during the time when they are not sampled, OS type or NAT environment
cannot be detected.
OS fingerprinting depends mainly on the parameters in the TCP-SYN packets. The signature
database is built based on the default settings used by various operating systems. If the subscriber
changes default parameters, such as TCP window size, through registries, it may lead to
misclassification of the OS.
The OS type will not be detected in any of the following situations:
–
If the subscriber connects to the internet using an http-proxy, or if there is a proxy or gateway
that changes L3/L4 packets of the subscriber.
If the subscriber has only one flow.
–
–
If the subscriber has only UDP flows
In case of multiple IP or IP range subscribers, OS fingerprinting is done only for a limited number
IP addresses (default is 5).
NAT detection is based on whether the same subscriber is connecting using multiple operating
systems. Therefore, if all the users behind a NAT use the same OS, it is not possible to detect the
NAT.
When a subscriber runs multiple operating systems using vmware, it may be detected as a NAT even
though the subscriber is not in NAT environment.
Chapter 6
Global Configuration
OL-30621-02
Advertisement
Chapters
Table of Contents
