I'm building an application on top of the meraki scanning api and I was wondering how does meraki detect the OS. Specifically, I'm interested in learning what the limitations of this label might be.
For instance, does meraki requires that a client is connected in order to detect it's os? or can the OS be detected even without connection? If that is the case, in which cases can the OS be detected and in which doesn't?
Solved! Go to Solution.
I did a quick scan of some data from the Scanning API in a couple of environments. I only see a value for OS when the device is connected to the network.
I've never seen details from Meraki on how they identify the OS. I would guess that they are using fingerprints of certain network traffic, similar to remote OS detection in nmap. Meraki appears to keep its own database when people flag the device type as inaccurate in Meraki Dashboard.
If this guess is accurate, a device would have to associate to the network prior to OS detection. The results of OS detection may be inaccurate, especially when new devices, drivers, and OS versions are released.
There's a decent chance that similar technology is used for detecting rouge access points on the LAN.
we do see observations of devices that are not connected that do have an OS, and I was wondering if this is because they connected at some point in the past to the network before. Do you think meraki uses data across all networks to sync that?
let's say I there is a meraki installation on the building A, owned by company AA. Joe is an employee, and is connected to the network.
One day, Joe goes to a client on building B, occupied by company BB, which operates their own meraki installation. Will the Scanning API of company BB show the OS data for Joe's phone and laptop, even if he never ever connected to company BB's network?
Your idea that Meraki keeps the OS information when a device previously connected to the network sounds reasonable.
I doubt that Meraki would make that information available across organizations, but there's no way to know for sure without either testing yourself or getting Meraki to tell you.
according to this article, the OS fingerprinting happens via DHCP, so I assume that only clients that connect to the network will be eligible for this feature. However, we see observations of clients that did not connect to the network (since we enabled Scanning API) and have OS information. I'm wondering how this can be possible.
I'm still trying to understand and debug how this works. Here is something I found in my data that I can't understand:
Here is a log of the data for one specific client. The ipv4_id and ipv6_id are NULL if the client didnt connect, and have something if it did connect.
Everything is fine until 2019-02-20 end of day, where the device left the building at 13:54 UTC. Until then, all observations have a valid OS, independently if the device connected or not.
Next day, however, the device never didnt had OS for the next events, even if it sometimes connected to the network! How is this possible? Do we manually need to keep track of client's OS entries?
Edit: here is a graph for that client of OS over time (os=4 means for us iOS)
Edit: For another windows device, the data looks like this: