How do I detect Apple iPhone and iPod touch devices in a wireless network? How do I differentiate between an Apple laptop and an iPhone/iPod touch?

Aruba Employee

Question: How do I detect Apple iPhone and iPod touch devices in a wireless network? How do I differentiate between an Apple laptop and an iPhone/iPod touch?

 

Product and Software: This article applies to all Aruba controllers and APs and ArubaOS 3.x and later. This article also applies to iPhone/iPod touch running software 3.x.

Background
With the proliferation of iPhone and iPod touch devices, wireless network administrators in many organizations (especially in the higher education) are looking for ways to identify these devices. Unfortunately, these devices cannot be identify based on the OUI prefix of the device's 48-bit MAC address because they are indistinguishable from other Apple devices, such as laptops and desktops with wireless cards (such as MacBook and MacBook Pro).


A better solution is needed.

Proposed Solution
This article discusses how a system can be put in place to detect iPhone and iPod touch devices, which applies to the currently shipping operating system on these devices (iPhone OS 3.x).

From our observation, iPhone and iPod touch devices use a unique "Parameter Request List" in the "Requested Options" in the DHCP Request packet. The list includes the following DHCP options:

1 (0x01) Subnet Mask
3 (0x03) Routers
6 (0x06) Domain Name Servers
15 (0x0F) Domain Name
119 (0x77) Domain Search
252 (0xFC) Web Proxy Auto-Discovery Protocol

DHCP option references:
http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
http://technet.microsoft.com/en-us/library/cc713344.aspx
http://www.wrec.org/Drafts/draft-cooper-webi-wpad-00.txt

The options are not the same for Mac OS X (for example, MacBooks and MacBook Pros) and as far as we know, they are different from the list of DHCP options used by Windows based devices (XP, Vista, and 7).

To identify iPhone/iPod touch devices, we need a system that can intercept DHCP requests between wireless clients and the DHCP server(s). This can be done in two ways:


1) Enable session mirroring in the user role on the Aruba controller using an ACL similar to the following, and send the mirrored traffic to an external host.

ip access-list session mirror-dhcp
any any svc-dhcp permit mirror log


firewall session-mirror-destination ip-address A.B.C.D

On the external host, run 'tshark' and filter on DHCP request packets (details provided below).


2) Enable wired port mirroring on the port where the DHCP server is connected, and mirror traffic to an external host (similar to option 1).


Run packet-packet (tshark) directly on the DHCP server.


 


On the host performing packet-capture, use the following options to 'tshark' to filter only DHCP packet (assume UNIX host with interface named eth0):

sudo tshark -i eth0 -V -n -l -R "bootp.option.type eq 55 and bootp.option.value eq 01:03:06:0f:77:fc" -Tfields -e bootp.hw.mac_addr > dhcp-mac.txt &

This command saves the MAC addresses of detected iPhone/iPod touch devices in the 'dhcp-mac.txt' file.

Further processing can be done to make use of this list (for example, black-listing a client).

 

Here is an example of the DHCP Request packet sent by an iPhone device:

 

Ethernet II, Src: Apple_21:8e:7a (00:21:e9:21:8e:7a), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: Apple_21:8e:7a (00:21:e9:21:8e:7a)
Address: Apple_21:8e:7a (00:21:e9:21:8e:7a)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x60 (DSCP 0x18: Class Selector 3; ECN: 0x00)
0110 00.. = Differentiated Services Codepoint: Class Selector 3 (0x18)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 328
Identification: 0x9edd (40669)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (0x11)
Header checksum: 0x1b68 [correct]
[Good: True]
[Bad : False]
Source: 0.0.0.0 (0.0.0.0)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
Source port: bootpc (68)
Destination port: bootps (67)
Length: 308
Checksum: 0xc70a [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x0ac8b27c
Seconds elapsed: 1
Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Apple_21:8e:7a (00:21:e9:21:8e:7a)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Request
Option: (53) DHCP Message Type
Length: 1
Value: 03
Option: (t=55,l=6) Parameter Request List
Option: (55) Parameter Request List
Length: 6
Value: 0103060F77FC
1 = Subnet Mask
3 = Router
6 = Domain Name Server
15 = Domain Name
119 = Domain Search [TODO]
252 = Private/Proxy autodiscovery
Option: (t=57,l=2) Maximum DHCP Message Size = 1500
Option: (57) Maximum DHCP Message Size
Length: 2
Value: 05DC
Option: (t=61,l=7) Client identifier
Option: (61) Client identifier
Length: 7
Value: 010021E9218E7A
Hardware type: Ethernet
Client MAC address: Apple_21:8e:7a (00:21:e9:21:8e:7a)
Option: (t=50,l=4) Requested IP Address = 192.168.7.62
Option: (50) Requested IP Address
Length: 4
Value: C0A8073E
Option: (t=54,l=4) DHCP Server Identifier = 192.168.7.1
Option: (54) DHCP Server Identifier
Length: 4
Value: C0A80701
Option: (t=12,l=9) Host Name = "Iphone-3G"
Option: (12) Host Name
Length: 9
Value: 4970686F6E652D3347
End Option
Padding

 

Version history
Revision #:
1 of 1
Last update:
‎07-07-2014 04:00 PM
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.