How does meraki detect the OS of a device for the scanning api?

Solved
olmo
Here to help

How does meraki detect the OS of a device for the scanning api?

Hi, 

 

I'm building an application on top of the meraki scanning api and I was wondering how does meraki detect the OS. Specifically, I'm interested in learning what the limitations of this label might be. 

 

For instance, does meraki requires that a client is connected in order to detect it's os? or can the OS be detected even without connection? If that is the case, in which cases can the OS be detected and in which doesn't? 

 

 

Thanks, 

 

olmo 

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

It can't be.  They must have connected at some point in the past.

View solution in original post

7 Replies 7
HodyCrouch
Building a reputation

I did a quick scan of some data from the Scanning API in a couple of environments.  I only see a value for OS when the device is connected to the network.

 

I've never seen details from Meraki on how they identify the OS.  I would guess that they are using fingerprints of certain network traffic, similar to remote OS detection in nmap.  Meraki appears to keep its own database when people flag the device type as inaccurate in Meraki Dashboard.

 

If this guess is accurate, a device would have to associate to the network prior to OS detection.  The results of OS detection may be inaccurate, especially when new devices, drivers, and OS versions are released.

 

There's a decent chance that similar technology is used for detecting rouge access points on the LAN.

olmo
Here to help

Thanks, 

 

we do see observations of devices that are not connected that do have an OS, and I was wondering if this is because they connected at some point in the past to the network before. Do you think meraki uses data across all networks to sync that? 

 

let's say I there is a meraki installation on the building A, owned by company AA. Joe is an employee, and is connected to the network. 

 

One day, Joe goes to a client on building B, occupied by company BB, which operates their own meraki installation. Will the Scanning API of company BB show the OS data for Joe's phone and laptop, even if he never ever connected to company BB's network? 

 

olmo 

HodyCrouch
Building a reputation

Your idea that Meraki keeps the OS information when a device previously connected to the network sounds reasonable.

 

I doubt that Meraki would make that information available across organizations, but there's no way to know for sure without either testing yourself or getting Meraki to tell you.

PhilipDAth
Kind of a big deal
Kind of a big deal
olmo
Here to help

Thanks, 

 

according to this article, the OS fingerprinting happens via DHCP, so I assume that only clients that connect to the network will be eligible for this feature. However, we see observations of clients that did not connect to the network (since we enabled Scanning API) and have OS information. I'm wondering how this can be possible. 

PhilipDAth
Kind of a big deal
Kind of a big deal

It can't be.  They must have connected at some point in the past.

olmo
Here to help

Hi, 

I'm still trying to understand and debug how this works. Here is something I found in my data that I can't understand:

 

Here is a log of the data for one specific client. The ipv4_id and ipv6_id are NULL if the client didnt connect, and have something if it did connect. 

 

 

seen_timeosmanufactureripv4_idipv6_id
     
2019-02-20 13:53:24.000000iOSApple11122NULL
2019-02-20 13:53:37.000000iOSAppleNULLNULL
2019-02-20 13:54:24.000000iOSAppleNULLNULL
2019-02-20 13:54:25.000000iOSAppleNULLNULL
2019-02-20 13:54:29.000000iOSApple11122NULL
2019-02-20 13:54:36.000000iOSApple11122NULL
2019-02-21 06:35:25.000000NULLAppleNULLNULL
2019-02-21 06:36:18.000000NULLAppleNULLNULL
2019-02-21 06:36:18.000000NULLAppleNULLNULL
2019-02-21 06:36:19.000000NULLAppleNULLNULL
2019-02-21 06:36:19.000000NULLAppleNULLNULL
2019-02-21 06:36:19.000000NULLApple11122NULL
2019-02-21 06:36:19.000000NULLAppleNULLNULL
2019-02-21 06:37:19.000000NULLAppleNULLNULL
2019-02-21 06:37:28.000000NULLAppleNULLNULL
2019-02-21 06:37:50.000000NULLApple11122NULL
2019-02-21 06:38:49.000000NULLApple11122NULL

 

 

Everything is fine until 2019-02-20 end of day, where the device left the building at 13:54 UTC. Until then, all observations have a valid OS, independently if the device connected or not. 

 

Next day, however, the device never didnt had OS for the next events, even if it sometimes connected to the network! How is this possible? Do we manually need to keep track of client's OS entries?

 

Edit: here is a graph for that client of OS over time (os=4 means for us iOS)

 

client_os_graph.png 

 

 

Edit: For another windows device, the data looks like this:

client_os.png

Get notified when there are additional replies to this discussion.