How does meraki detect the OS of a device for the scanning api?
I'm building an application on top of the meraki scanning api and I was wondering how does meraki detect the OS. Specifically, I'm interested in learning what the limitations of this label might be.
For instance, does meraki requires that a client is connected in order to detect it's os? or can the OS be detected even without connection? If that is the case, in which cases can the OS be detected and in which doesn't?
I did a quick scan of some data from the Scanning API in a couple of environments. I only see a value for OS when the device is connected to the network.
I've never seen details from Meraki on how they identify the OS. I would guess that they are using fingerprints of certain network traffic, similar to remote OS detection in nmap. Meraki appears to keep its own database when people flag the device type as inaccurate in Meraki Dashboard.
If this guess is accurate, a device would have to associate to the network prior to OS detection. The results of OS detection may be inaccurate, especially when new devices, drivers, and OS versions are released.
There's a decent chance that similar technology is used for detecting rouge access points on the LAN.
we do see observations of devices that are not connected that do have an OS, and I was wondering if this is because they connected at some point in the past to the network before. Do you think meraki uses data across all networks to sync that?
let's say I there is a meraki installation on the building A, owned by company AA. Joe is an employee, and is connected to the network.
One day, Joe goes to a client on building B, occupied by company BB, which operates their own meraki installation. Will the Scanning API of company BB show the OS data for Joe's phone and laptop, even if he never ever connected to company BB's network?
according to this article, the OS fingerprinting happens via DHCP, so I assume that only clients that connect to the network will be eligible for this feature. However, we see observations of clients that did not connect to the network (since we enabled Scanning API) and have OS information. I'm wondering how this can be possible.