9.10. DHCP Fingerprint

OpenNAC Enterprise uses its own dhcp-helper-reader service to receive DHCP requests and analyze its structure. These requests can be received by broadcast or by having a layer 3 device acting as a DHCP relay.

The dhcp-helper-reader service parses the fingerprint of the DHCP packet. This fingerprint will be matched in the local database (/usr/share/opennac/utils/fingerprint/fingerprints.csv) and profiled depending on the fingerprint. The tag generated is the DFP (DHCP FINGERPRINT).

When a known DHCP fingerprint is processed, all the DFP tags in the tree are added to it. For example, in an HP printer fingerprint the DFP_PRINTER and DFP_PRINTER_HP tags will be added.

Some fingerprints may not be found in the local OpenNAC Enterprise database and therefore a device may not be profiled correctly. In this case, we will see that the packet has the field os_name with the value unregistered and the tag DFP_ORPHAN_XXXXXXXX will be generated for that device.

To perform this check, the IPMAC type events will be searched for in the file /var/log/opennac/opennac-job.log.

The structure of the IPMAC register is the following:

Jan 12 14:56:02 opennac-core opennac-job[3388]: 2021-01-12 14:56:02 INFO: [7668] [3388] IPMAC [14:56:02 20210112] <IP> => <MAC> : <OS>: <Hostname> : <FingerPrint>

The command to extract the information is the following:

zgrep IPMAC /var/log/opennac/opennac-job.log* |egrep ":[ \t].+:.*$" |cut -d ">" -f2 |sort -n |uniq

Example output:

E214599FE5A1 : Generic_Android : OPPO-A72 : 1,3,6,15,26,28,51,58,59,43
E222E21F58AC :  : iPhone-de-Bob : 1,121,3,6,15,114,119,252

In the register of iPhone-de-bob we have the hostname but not the Operating System.

It is important to notify the OpenNAC Enterprise Technical Support Team when a new fingerprint is detected, so they can add it to the source code.