INFO: Device Identification Report

DESCRIPTION LAST UPDATED: 2023-12-06

DEFAULT SEVERITY LEVEL: INFO

This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our Internet scan types. Discovered devices are classified by vendor, model and device type based on scan signatures that have been developed as part of the European Union INEA CEF VARIoT project.

This is a device population report – no assessment is made on the vulnerability state of the device. The report is intended for recipients to get a better understanding of device population types on networks they are responsible for. Please note the assessment is based only on what was publicly accessible from the Internet.

Please note that a specific IP may identify as different devices by different scans due to port forwarding. The report contains the port number of the scan that resulted in a device classification.

In some cases, false positives may be possible. If you suspect a false positive, please contact us with details of the report.

The report was announced in a blog here.

You can track latest devices identified on the Shadowserver Dashboard.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report comes in two versions, IPv4 and IPv6

Severity levels are described here.

Filenames: device_id, device_id6

This report was enabled as part of the European Union INEA CEF VARIoT project.







Fields



    

  • 

    timestamp
    

    Timestamp when the IP was seen in UTC+0
    

    • 

  • 

    severity
    

    Severity level
    

    • 

  • 

    ip
    

    IP of the detected device
    

    • 

  • 

    protocol
    

    Protocol of the response 
    

    • 

  • 

    port
    

    Port response was received from
    

    • 

  • 

    hostname
    

    Hostname of the device (may be from reverse DNS)
    

    • 

  • 

    tag
    

    Array of tags. For example, iot or vpn
    

    • 

  • 

    asn
    

    AS of the detected device
    

    • 

  • 

    geo
    

    Country of the detected device
    

    • 

  • 

    region
    

    Region of the detected device
    

    • 

  • 

    city
    

    City of the detected device
    

    • 

  • 

    naics
    

    North American Industry Classification System Code
    

    • 

  • 

    hostname_source
    

    Source of the hostname
    

    • 

  • 

    sector
    

    Sector of the IP in question
    

    • 

  • 

    device_vendor
    

    The identified device vendor
    

    • 

  • 

    device_type
    

    Device classification (for example, router, firewall, nas, video-system etc)
    

    • 

  • 

    device_model
    

    The identified device model
    

    • 

  • 

    device_version
    

    Device version, if any
    

    • 








Sample




"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","device_vendor","device_type","device_model","device_version"
"2010-02-10 00:00:00",medium,192.168.0.1,udp,5683,node01.example.com,coap;iot,64512,ZZ,Region,City,0,ptr,,"QLC Chain",,"QLink Resource",2
"2010-02-10 00:00:01",medium,192.168.0.2,udp,5683,node02.example.com,coap;iot,64512,ZZ,Region,City,0,,,"QLC Chain",,"QLink Resource",2
"2010-02-10 00:00:02",medium,192.168.0.3,udp,5683,node03.example.com,coap;iot,64512,ZZ,Region,City,0,,,"QLC Chain",,"QLink Resource",2
















Our 126 Report Types















« Back to Network Reporting