Method and apparatus for fingerprinting systems and operating systems in a network

摘要

A system and method for identifying the number of computer hosts and types of operating systems behind a network address translation is provided. The method includes processing an internet protocol packet associated with the host computer system. The process may involve capturing the internet protocol packet and extracting key fields from the internet protocol packet to produce a fingerprint. The method continues with analyzing the fields in order to determine if a network address translator is connected between the host computer and a public network (e.g. the internet). If there is a network address translator connected, fields may be analyzed in order to determine the number of computers using the network address translator. The fields may also be analyzing in order to determine with a level of probability that the fingerprint identifies the correct operating system running the host computers. Generally, the internet protocol packet that is analyzing will be captured from an aggregation point in the carrier network.

主权项

1. A method for identifying the number of computers and types of operating systems behind a network address translator, comprising:
processing an internet protocol packet associated with at least one host computer system including capturing said internet protocol packet at a point between the at least one host computer system and a network and extracting fields from said internet protocol packet to produce a fingerprint; analyzing said fields to determine if an associated network address translator is connected between said at least one host computer system and the point at which the internet protocol packet was captured; if said network address translator is connected, analyzing said fields to determine the number of host computer systems behind said associated network address translator; analyzing said fields to determine with a level of probability that said fingerprint identifies an operating system running said at least one host computer system; recording subscriber information for subscribers associated with the at least one host computer system in a user index table; and generating a subscriber profile from the subscriber information in the user index table if the at least one host computer system has not been previously fingerprinted.