Could Malcolm identify and display operating systems?

[meetpity]

1、I would like to know if Malcolm provides a way to query the operating system of devices. I noticed that IP addresses and hostnames are displayed, but I couldn’t find any corresponding information related to operating systems.

2、When I open the OpenSearch Dashboard overview, the DNS requests section is empty and does not display any information. However, if I select a longer time range, such as 2 hours, the DNS request statistics appear. Could this indicate an issue somewhere?

Looking forward to your response.

[mmguero]

I'm converting this issue to a discussion, let's continue the conversation there.

[mmguero]

Hi! Here are my thoughts on your questoins.

1. Sort of, but not directly. All of the information Malcolm has comes from passive observing of network traffic. It's not querying or probing any endpoints in the network, so anything it knows it has to glean from communications between endpoints and/or the internet. Your best bet, probably, is to check out the Software dashboard in Dashboards and see what comes up there. There are some Zeek scripts (such as this one) that are enabled which will attempt to detect user agents that may indicate, for example, what version of Microsoft Windows is detected.
2. That's interesting... is the rest of your data, other logs besides the DNS logs, showing up in realtime or does it seem to be "delayed" as well? How is the traffic capture being done (using a Hedgehog Linux sensor appliance vs Malcolm doing the capture directly vs. uploading PCAP)? Are the date/times on the systems involved (ie., your Malcolm system and sensor, if any) correct?