cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

439
Views
0
Helpful
3
Replies
Highlighted
Beginner

FMC passive network discovery - what OSID fields used when discovering

Hi Folks, 

When FMC performs passive network discovery it is not interacting with end hosts, it is paying extra attention to syn and syn-ack packets and determining OS definitions based on known output from ip headers. 

Can anyone point me in the direction to find more information on how the FMC is configured to carry out the discovery from ip packets passing through the managed device network points?

Cheers

Everyone's tags (2)
3 REPLIES 3
Cisco Employee

Hi Even,

Hi Even,

Yes the managed devices gathers the network discovery info as the traffic passed through it and send that info to FMC which in turn processes the data to show the data.

The user guide has detailed information about it.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Discovery-Network-Map.html

Is there something specific you are looking for ?

Hope it helps.

Yogesh

Beginner

I'm just wanting to be able

I'm just wanting to be able to comprehend the operation so I can explain it to people. From what I gather its fairly standard open source type operation, nothing cisco tailored?

So understanding something like http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting is all thats needed?

Also I've had discovery running for about 2-3 weeks now and Windows 2012 R2 is not being discovered. Its being marked as Windows 7, Server 2008, 8. Do we not need to care that the exact version is detected?

From what I understand if a product does not change in operation in higher versions the system marks it as the lowest version. For example, i can't remember the finer details, but when seeing Windows Vista for a certain function it still applies to Windows 7/8/10, as the particular feature has not changed in the higher versions.

Beginner

Should one not run 'Firepower

Should one not run 'Firepower Recommendations' until most end points (especially main servers) are classified accurately?