Device Identification

Device Identification

When receiving data from the Collectors, the Engine identifies the devices to which the data belongs. Usually, the Engine identifies a device by its NetBIOS name, the list of its MAC addresses, its hardware id and its Windows SID.

The NetBIOS name (N) of a machine is unique at a given time within a given domain. Name uniqueness is ensured by the domain controller, but two machines may have the same name at different points in time.

The list of MAC addresses ({Mi}) of a machine is the list of network adapters that are enabled on Windows. This list may change over time.

The hardware id (H) is based on the following parameters:

  • The BIOS serial number.
  • The chassis serial number.
  • The motherboard serial number.

The hardware id is usually unique for branded PC but may not be unique for no name or self assembled PC. VMWare defines a BIOS serial number that is unique, yielding to valid hardware id.

The Windows SID (S) is the Windows security identifier of the Windows operating system. The SID is generated during the Windows installation process and is supposed to be globally unique. However if Windows is installed using a cloned image which has not been carefully crafted using sysprep, the SID may not been unique. Experience shows that SID are rarely unique in corporate network and they appear in bunches of 10 to 50 machines.

Usual algorithm to identify a Device

When receiving device data from a Collector, the Engine executes the following algorithm to determine whether the device is already in its database:

  1. Is there a device in the database with the same tuple <H, {Mi}, N, S> ?
    • If yes, the device is identfied to be the same as the one in the database.
  2. Is there a device in the database with the same tuple <H, {Mi}, S> ?
    • if yes, the two devices are considered to be the same. The device was renamed.
  3. Is there a device in the database with the same tuple <H, N, S> and with at least one MAC belonging to the OUI in common?
    • If yes, the two devices are considered to be the same. The device had, for instance, one network adapter disabled or enabled.
  4. Is there a device in the database with the same tuple <H, N, S> and 50% or more MAC addresses are in common?
    • If yes, the two devices are considered to be the same. The device had, for instance, one network adapter disabled or enabled and a MAC address reflashed.
  5. Is there a device in the database with the same tuple <H, S> and more than 50% of the MAC addresses are in common?
    • If yes, the two devices are considered to be the same. The device had, for instance, one network adapter disabled or enabled, a MAC address reflashed and its name modified.
  6. Does H belong to more then one device in the database?
    • If yes, is there a device with the same tuple <H, N>?
      • if yes, the two devices are considered to be the same. The device is probably a VM and it got a new MAC address generated at boot time.
  7. The algorithm computes the subset {Mui} of {Mi} with those MAC addresses that belong to one device only. Is there a device with the same tuple <N, Mui>?
    • If yes, is there a device with the same tuple <H, N>?
      • If yes, the two devices are considered to be the same. The device is a no name PC with the same hardware id.

If no device in the database is identified as per the above rules, then a new device is created.

Identifying devices solely by their name

Starting from the Engine release V5.3.3, it is possible to override the default algorithm to identify devices and instruct the Engine to exclusively identify Windows devices with domain membership by their NetBIOS name. From release V6.8 on, the feature has been extended to support all devices regardless of their platform (Windows or Mac) and membership type.

Note that the default device identification algorithm should be preferred in most cases. Use this alternative method only in setups where the default algorithm fails to reliably identify a specific group of devices. A misconfiguration may lead to devices being artificially merged or split, so use the identification of devices by name carefully.

This feature is particularly useful in virtualized environments, where devices are virtual machines (VMs) recreated at every user session. By applying the traditional algorithm for identifying devices, the Engine regards every new instance of a VM as a new device; ending up with multiple devices that share the same name and that succeed each other over time. By identifying devices only on the basis of their name, the Engine consistently maps a particular VM to a single device time after time, even when its hardware properties change.

The Engine provides a mechanism to apply the name algorithm to a reduced set of devices only. Specify name patterns in the configuration file of the Engine to select those groups of devices that must be identified by their name. For instance, if the name of all your virtual machines begins with vm1-ws or vm2-ws, add the following lines to the configuration file of the Engine (/var/nexthink/engine/01/etc/nxengine.xml):

<config>
  <engine>
    <device_identification>
       <netbios_pattern>vm1-ws*</netbios_pattern>
       <netbios_pattern>vm2-ws*</netbios_pattern>
    </device_identification>
  </engine>
</config>


Valid substitution characters in the name patterns (called netbios_pattern for historical reasons) are:

  • The asterisk * to substitute for zero or more characters.
  • The question mark ? to substitute for one single character.