Hi all,
Im doing a project on analyzing network traffic of a given packet capture. Im using wireshark. my question is; is there any way to determine an Operating System of a machine from its MAC address? and also if there is any other tools to for network traffic analyzer out there besides wireshark ( wireshark is pretty overwhelming) please do let me know )
cheers,
my question is; is there any way to determine an Operating System of a machine from its MAC address?
No. How would you?
and also if there is any other tools to for network traffic analyzer out there besides wireshark ( wireshark is pretty overwhelming) please do let me know )
Yes, lots. Google "network traffic analysis". Good luck.
is there any way to determine an Operating System of a machine from its MAC address?
No, the MAC address is coded into the network interface card's firmware and operates on Layer 2 of the OSI model. You can find the manufacture of the NIC (if it has not been cloned or changed).
That being said, it will operate outside of the OS.
Wireshark a great free utility. There are also hardware network taps that can monitor and analyze packets.
Although you cannot determine the OS from the MAC address alone, if you are sniffing traffic or analyzing PCAP files you are likely to find the OS associated with a particular MAC address.
As answered, already, the MAC address is assigned to the vendor of the interface and is not OS dependant. However, you did not say whether you are analyzing live data or a capture.
Within the PCAP logs there may be sufficient information to identify a particular "fingerprint" for an OS. NMAP, for example, uses port data and other information to "guess" the likely OS and a number of ports are used for protocols either specific to an OS or to a service which is seen, predominantly, on one OS.
If you have the Wireshark/PCAP data, with sufficient information you should be able to predict the likelihood of a given OS associated with a given interface (MAC address).
Eric Kollman has some interesting related papers and tools on his site
enjoy
Is there no chance you filtering the results for the IP address of your target machine then getting some HTTP GET packets and getting the OS from there?
…sorry if im saying something you've already tried/done
Hmmm…
Just thinking, but …
A MAC address can narrow down your computer to PC/Mac/Sparc/router/etc. machine, but not necessarily the OS.
That is, a MAC address is unique, as already stated - but, a set of MAC addresses within the type of NIC is also unique - one cannot use an ISA, EISA, PC104, PXI, PCI or PCI Express NIC batch interchangeably, limiting the OS world. I know this is also consistent with devices such as routers.
So, a MAC address may not define the OS, but it can eliminate some for sure.
Possibly. Maybe. Could be.
Just a thought….
Hmmm…
A MAC address can narrow down your computer to PC/Mac/Sparc/router/etc. machine, but not necessarily the OS.That is, a MAC address is unique, as already stated - but, a set of MAC addresses within the type of NIC is also unique - one cannot use an ISA, EISA, PC104, PXI, PCI or PCI Express NIC batch interchangeably, limiting the OS world. I know this is also consistent with devices such as routers.
Not if it is cloned and/or spoofed. Most if not all commercial routers can clone and spoofing a MAC on a NIC is very simple. Because of the inherent design of the MAC addressing you really cannot tell what hardware or software platform it is "living on" by the MAC alone.
Nmap uses active probing to determine OS type; it's reasonably accurate, but not suitable if all you have is packet capture. P0f identifies OS type passively from packet capture. Various other information in the packet capture may give you information to help identify the OS (e.g., helpful HTTP User-Agent strings).