1 files changed, 88 insertions, 2 deletions

diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua
index bab43abe8..a05ca0493 100644
--- a/wireshark/ndpi.lua
+++ b/wireshark/ndpi.lua
@@ -34,6 +34,7 @@ ntop_fds.client_nw_rtt    = ProtoField.new("TCP client network RTT (msec)",  "nt
 ntop_fds.server_nw_rtt    = ProtoField.new("TCP server network RTT (msec)",  "ntop.latency.server_rtt", ftypes.FLOAT, nil, base.NONE)
 ntop_fds.appl_latency_rtt = ProtoField.new("Application Latency RTT (msec)", "ntop.latency.appl_rtt",   ftypes.FLOAT, nil, base.NONE)
 
+local f_eth_source        = Field.new("eth.src")
 local f_eth_trailer       = Field.new("eth.trailer")
 local f_vlan_id           = Field.new("vlan.id")
 local f_arp_opcode        = Field.new("arp.opcode")
@@ -54,6 +55,7 @@ local f_tcp_lost_segment  = Field.new('tcp.analysis.lost_segment') -- packet dro
 local f_rpc_xid           = Field.new('rpc.xid')
 local f_rpc_msgtyp        = Field.new('rpc.msgtyp')
 local f_user_agent        = Field.new('http.user_agent')
+local f_dhcp_request_item = Field.new('bootp.option.request_list_item')
 
 local ndpi_protos            = {}
 local ndpi_flows             = {}
@@ -88,6 +90,8 @@ local tot_ssl_flows          = 0
 local http_ua                = {}
 local tot_http_ua_flows      = 0
 
+local dhcp_fingerprints      = {}
+
 local min_nw_client_RRT      = {}
 local min_nw_server_RRT      = {}
 local max_nw_client_RRT      = {}
@@ -320,6 +324,9 @@ function ndpi_proto.init()
    -- HTTP
    http_ua                = {}
    tot_http_ua_flows      = 0
+
+   -- DHCP
+   dhcp_fingerprints      = {}
    
    -- DNS
    dns_responses_ok       = {}
@@ -530,6 +537,24 @@ end
 
 -- ###############################################
 
+function dhcp_dissector(tvb, pinfo, tree)
+   local req_item = f_dhcp_request_item()
+   
+   if(req_item ~= nil) then
+      local srckey = tostring(f_eth_source())
+      local req_table = { f_dhcp_request_item() }
+      local fingerprint = ""
+
+      for k,v in pairs(req_table) do
+	 fingerprint = fingerprint .. string.format("%02X", v.value)
+      end
+
+      dhcp_fingerprints[srckey] = fingerprint
+   end
+end
+
+-- ###############################################
+
 function dns_dissector(tvb, pinfo, tree)
    local dns_response = f_dns_response()
    if(dns_response ~= nil) then
@@ -892,6 +917,7 @@ function ndpi_proto.dissector(tvb, pinfo, tree)
    vlan_dissector(tvb, pinfo, tree)
    ssl_dissector(tvb, pinfo, tree)
    http_dissector(tvb, pinfo, tree)
+   dhcp_dissector(tvb, pinfo, tree)   
    dns_dissector(tvb, pinfo, tree)
    rpc_dissector(tvb, pinfo, tree)
 end
@@ -1203,6 +1229,65 @@ end
 
 -- ###############################################
 
+local function dhcp_dialog_menu()
+   local win = TextWindow.new("DHCP Fingerprinting");
+   local label = ""
+   local tot = 0
+   local i
+   local fingeprints = {
+      ['017903060F77FC'] = 'iOS',
+      ['017903060F77FC5F2C2E'] = 'MacOS',
+      ['0103060F775FFC2C2E2F'] = 'MacOS',
+      ['0103060F775FFC2C2E'] = 'MacOS',
+      ['0603010F0C2C51452B1242439607'] = 'HP LaserJet',
+      ['01032C06070C0F16363A3B45122B7751999A'] = 'HP LaserJet',
+      ['0103063633'] = 'Windows',
+      ['0103060F1F212B2C2E2F79F9FC'] = 'Windows',
+      ['0103060C0F1C2A'] = 'Linux',
+      ['011C02030F06770C2C2F1A792A79F921FC2A'] = 'Linux',
+      ['0102030F060C2C'] = 'Apple AirPort',
+      ['010F03062C2E2F1F2179F92B'] = 'Windows'
+   }
+      
+   if(dhcp_fingerprints ~= {}) then
+      i = 0
+      label = label .. "Client\t\tKnown Fingerprint\n"
+      for k,v in pairsByValues(dhcp_fingerprints, rev) do
+	 local os = fingeprints[v]
+
+	 if(os ~= nil) then
+	    local os = " ["..os.."]"
+	    label = label .. k.."\t"..v..os.."\n"
+	    if(i == 50) then break else i = i + 1 end
+	 end
+      end
+
+      i = 0
+      for k,v in pairsByValues(dhcp_fingerprints, rev) do
+	 local os = fingeprints[v]
+
+	 if(os == nil) then
+	    if(i == 0) then
+	       label = label .. "\n\nClient\t\tUnknown Fingerprint\n"
+	    end
+	 
+	    label = label .. k.."\t"..v.."\n"
+	    if(i == 50) then break else i = i + 1 end
+	 end
+      end
+
+
+      
+   else
+      label = "No DHCP fingerprints detected"
+   end
+
+   win:set(label)
+   win:add_button("Clear", function() win:clear() end)
+end
+
+-- ###############################################
+
 local function ssl_dialog_menu()
    local win = TextWindow.new("SSL Server Contacts");
    local label = ""
@@ -1271,12 +1356,13 @@ end
 -- ###############################################
 
 register_menu("ntop/ARP",          arp_dialog_menu, MENU_TOOLS_UNSORTED)
-register_menu("ntop/VLAN",         vlan_dialog_menu, MENU_TOOLS_UNSORTED)
-register_menu("ntop/IP-MAC",       ip_mac_dialog_menu, MENU_TOOLS_UNSORTED)
+register_menu("ntop/DHCP",         dhcp_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/DNS",          dns_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/HTTP UA",      http_ua_dialog_menu, MENU_TOOLS_UNSORTED)
+register_menu("ntop/IP-MAC",       ip_mac_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/SSL",          ssl_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/TCP Analysis", tcp_dialog_menu, MENU_TOOLS_UNSORTED)
+register_menu("ntop/VLAN",         vlan_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/Latency/Network",      rtt_dialog_menu, MENU_TOOLS_UNSORTED)
 register_menu("ntop/Latency/Application",  appl_rtt_dialog_menu, MENU_TOOLS_UNSORTED)