MAC Address Filtering – How to Filter Mobile Devices

mac addresstcpdumpwireless

I am monitoring my network and I would like to know how many mobile devices are there. I am already filtering probe requests and matching MAC adresses with OUI identifier. However I have few doubts about this procedure:

Around 90% of MAC addresses captured do not match any OUI. Can we
assume that mobile devices will always have a known OUI?
Is there any list with known OUI belonging to mobile devices? I
would like to filter our laptops and PCs.
I know it depends on many factors, but what is the average frequency
more or less in which the probe requests are send?

Thank you!

Best Answer

[rewriting your question without assumptions about the solution]

Q: "How do I find what OS/Device is connected to our wifi?"

Don't use mac-addresses to determine endpoint operating systems; mac-addresses are easily spoofed, and vendors can change their wifi PHY ASIC supplier on a whim
Use something like DHCP Fingerprinting, or better still, Cisco ISE (which does DHCP, HTTP, RADIUS EAP supplicant, and nmap fingerprinting, all in one appliance)

Related Solutions

HP ProCurve WOL – Auto WOL MAC Address of Offline Devices

I guess what I'm asking for is, does a solution exist where a single host can cause an unknown NIC MAC Address to respond so as to populate the switch MAC Table? Or another solution that could get this data?

Let's step back for a moment and think about how switches work.

If a switch doesn't know the destination mac-address in a frame, the switch floods the frame with the unknown destination mac out all ports in that vlan; thus you do not need the switch to know the mac-address of the hosts while the host is powered down.

However, you do need to know the mac-address of all PCs in question; that mac-address is embedded in the WOL frame. Quite honestly, knowing the list of macs is pretty simple... just poll your edge router for arp entries for the Vlan(s) in question every five minutes, and store the results somewhere.

Now when you're ready to wake computers up, build a unique list of macs from your archived ARP tables and send a WOL frame to each unique mac; and if you send a WOL frame to a printer that's already up, who cares?

FYI, I built a python WOL packet crafter if it's at all helpful... you'll need linux or another *nix to use it though. Run in cygwin or a VM if you like...

If you really hate the idea of scraping and archiving your ARP table, another option is HP Port-Security with Static mac-learning... that makes the switch remember the mac it learned on a port and then it saves the mac in the running / startup configurations.

HP Port-security Static

TCPDump – How to Filter by MAC Address

You have used the following as your packet filter: host aa:bb:cc:11:22:33

As it stands, this is looking for an IP or hostname but you are giving it a MAC address.

To use a MAC address, you need to include the ether packet filter primitive.

In your case, the following should work:

sudo tcpdump ether host aa:bb:cc:11:22:33

Or, if it needs you to specify the interface, then it would be something like:

sudo tcpdump -i eth0 ether host aa:bb:cc:11:22:33

Best Answer

Related Solutions

HP ProCurve WOL – Auto WOL MAC Address of Offline Devices

TCPDump – How to Filter by MAC Address

Related Topic