passive observatory

Yonge-Eglinton passive network observatory

The Rogers@Home network in Toronto is always buzzing with an endless stream of broadcast packets, ranging from client-issued DHCP configuration requests to router solicitations, ARP queries and various indecypherable data packets. In January of 2000, this broadcast data was gathered at the Yonge/Eglinton (YEC1) node over a week long period, and then used to gain insight into the structure and size of the network, and various details pertaining to its users, such as usage patterns, NIC vendors, etc.

The following is a list of codes of NIC manufacturers whose cards were detected on the network, followed by the number of individual machines using them. Clearly, the several models that stand out in popularity must be the various cards that Rogers@Home issues to new users. However, many other more exotic models can be found. To find out the actual company info that goes with a vendor ID, go to the IEEE OUI page and type the 6 hex digits of the code into their search engine.

A total of 6865 distinct cards was detected, from 102 different manufacturers:

3576 0000CA
997 00E029
647 0080C6
453 0080C8
161 005004
126 00105A
64 006067
56 0050DA
46 0000C0
45 00104B
45 000502
30 002078
27 0010A4
26 006008
25 004005
25 0000E8
24 00A024
23 00A0CC
21 0000B4

20 006097
18 00A0C9
18 0050E4
18 0040D0
18 0008C7
18 0004AC
17 00D009
17 00C04F
16 00E098
15 00805F
15 0050BA
15 000A27
15 000086
14 0080C7
14 000021
13 00A04B
13 009027
12 00C0F0
10 002018

9 004F49
8 00C0A8
7 004033
7 0020AF
6 525400
6 000094
5 080007
5 00AA00
5 00A00C
4 00508B
4 000039
3 00E0B8
3 00C0CA
3 004F4C
3 004854
3 0040F6
3 002035
3 000629
3 0000F8

2 080046
2 08002B
2 080009
2 02608C
2 00E081
2 00E018
2 00D0E8
2 00D0B7
2 00D059
2 00C0DF
2 008029
2 0060B0
2 00608C
2 00107A
2 00104C
2 000400
2 00001C
1 FF0FE0
1 52544C

1 48ED48
1 187118
1 10005A
1 08004E
1 00E0F9
1 00E04C
1 00E03F
1 00C09F
1 00C095
1 00C002
1 0080AD
1 006094
1 00606E
1 004F4E
1 003148
1 003065
1 0020E0
1 0010B5
1 001060

1 000800
1 00059A
1 0001A7
1 0000F4
1 0000E1
1 000092
1 000000

Some other interesting information can also be easily extracted from the gathered data. the following is a list of the 24 hour-slots of the day, and the percentage of DHCP configuration requests that occured in each. We are assuming here that each DHCP request signifies a boot-up of the corresponding computer, which is true in most cases. Immediately noticeable are the peak prime-time hours, the late night and early morning slump, and the sharp dawn boom as yuppies wake up and check their stock quotes and sports scores.

00 hours:

3.6 %
01 hours:

3.3 %
02 hours:

3.1 %
03 hours:

3.0 %
04 hours:

3.0 %
05 hours:

2.9 %
06 hours:

3.2 %
07 hours:

4.0 %
08 hours:

4.2 %
09 hours:

4.3 %
10 hours:

4.0 %
11 hours:

4.1 %
12 hours:

4.1 %
13 hours:

3.9 %
14 hours:

3.9 %
15 hours:

4.3 %
16 hours:

4.8 %
17 hours:

5.7 %
18 hours:

6.3 %
19 hours:

5.6 %
20 hours:

5.0 %
21 hours:

4.9 %
22 hours:

4.7 %
23 hours:

4.2 %

In addition to the information displayed on this page, it would also be very simple to track individual users' booting habits (DHCP configuration habits, at least) or maybe even send out bogus DHCP responses to misconfigure clients.

Miloš - Jan.2000