What Does Your User Agent Say About You?


A user agent is a computer program representing a person, for example, a browser in a Web context.

Besides a browser, a user agent could be a bot scraping webpages, a download manager, or another app accessing the Web. Along with each request they make to the server, browsers include a self-identifying User-Agent HTTP header called a user agent (UA) string. This string often identifies the browser, its version number, and its host operating system.

Spam bots, download managers, and some browsers often send a fake UA string to announce themselves as a different client. This is known as user agent spoofing.

The user agent string can be accessed with JavaScript on the client side using the navigator.userAgent property.

A typical user agent string looks like this: "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0".


User Agent String

Browser Data

Browser User Agent String Wireshark

James Smith
• Tuesday, 05 July, 2022
• 9 min read

Like whether chrome of Firefox or what browser or script is used for connecting to internet services Capturing traffic with pump on Linux CentOS 5.7 machine running Apache HTTP and analyzing in Wireshark.

agent wireshark user windows host line using chrome users hosts x64 figure google operating microsoft


When a host is infected or otherwise compromised, security professionals need to quickly review packet captures (caps) of suspicious network traffic to identify affected hosts and users. This tutorial offers tips on how to gather that cap data using Wireshark, the widely used network protocol analysis tool.

In most cases, alerts for suspicious activity are based on IP addresses. If you have access to full packet capture of your network traffic, a cap retrieved on an internal IP address should reveal an associated MAC address and hostname.

DHCP traffic can help identify hosts for almost any type of computer connected to your network. Open the cap in Wireshark and filter on boot pas shown in Figure 1.

Note : With Wireshark 3.0, you must use the search term DHCP instead of boot. Select one of the frames that shows DHCP Request in the info column.

Go to the frame details section and expand the line for Bootstrap Protocol (Request) as shown in Figure 2. Expand the lines for Client Identifier and Host Name as indicated in Figure 3.

agent user wireshark malware pcap strings timestamp specified did location

Figure 3: Finding the MAC address and hostname in a DHCP request This cap is from a Windows host using an internal IP address at 10.2.4101.

Figure 5: Correlating hostname with IP and MAC address using Nuns traffic The frame details section also shows the hostname assigned to an IP address as shown in Figure 6.

Figure 7: Following the TCP stream for an HTTP request in the third cap This TCP stream has HTTP request headers as shown in Figure 8.

Figure 11: Following the TCP stream for an HTTP request in the fifth cap Since more websites are using HTTPS, this method of host identification can be difficult.

However, for those lucky enough to find HTTP web-browsing traffic during their investigation, this method can provide more information about a host. For Windows hosts in an Active Directory (AD) environment, we can find user account names in from Kerberos traffic.

user wireshark agent using iphone hosts identifying users figure line safari

This cap is from a Windows host in the following AD environment: Go to the frame details section and expand lines as shown in Figure 13.

You should find a user account name for Theresa.Johnson in traffic between the domain controller at 172.16.8[. Hamstring values for hostnames always end with a $ (dollar sign), while user account names do not.

To filter on user account names, use the following Wireshark expression to eliminate Hamstring results with a dollar sign: Using the methods from this tutorial, we can better utilize Wireshark to help us identify affected hosts and users.

Most of the computer security white papers in the Reading Room have been written by students seeking GMAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published “as is”.

Errors or inconsistencies may exist or may be introduced over time as material becomes dated. Making statements based on opinion; back them up with references or personal experience.

wireshark agent user hex strings pcap malware final navigate editor way

Note: If this program is run against a cap file that is open in a hex editor in read/write mode then it will fail to open the file for reading. This view highlights several of the errors I encountered while making this tool.

Using the offset of “0×3E4B59” given in my search tool we can jump to that point in the hex editor and see what was going on there. From this we see that there appears to be some garbage mixed in with the useragentstring, which caused my program to calculate the wrong length, so I just output those frames in hex for further investigation.

The answer, after pouring over the file format spec was to use the timestamp. First we find an interesting UA string we want to investigate, so we use the UA tool to find the offset and jump to it in a hex editor.

So we jump to that location and search “Up” for the 2 bytes “0×54 0×56 that will help us find the timestamp, “BF8C545617920A00”. Update: as December rolled around the bytes to search for changed to 0×60 0×54.

Now I build another tool to convert the timestamp from hex to decimal Epoch time. Next we go to Wireshark Edit –> Find Packet (CTV + F) –> In the popup box set the radio buttons to String and “Packet Details” and insert the decimal Epoch string into the search box.

agent user string firefox change toolbar choose button second using switcher

Depending on where you are in the capture file you may need to change the search direction up or down. We just take the Epoch time stamp from Wireshark run it through our handy dandy time converter and get the hex bytes out to search for them in the hex editor.

Try doing this, using Firefox as fake user agent (moreover, it's a good startup script for web scraping with the use of cookies): The root of the answer is that the person asking needs to have a JavaScript interpreter to get what they are after.

What I have found is I am able to get all the information I wanted on a website in Jason before it was interpreted by JavaScript. This has saved me a ton of time in what would be parsing HTML hoping each webpage is in the same format.

So when you get a response from a website using requests really look at the HTML/text because you might find the JavaScript JSON in the footer ready to be parsed. I had a similar issue, but I was unable to use the Sergeant class inside the fake_useragent module.

This solution still gave me a random user agent however there is the possibility that the data structure at the endpoint could change. You need to create a header with a proper formatted UseragentString, it server to communicate client-server.

agent user firefox change string switcher browser howtogeek

Detect mobile browsers without user agent string parsing: Client Hints | by omrilotan | Fiverr Engineering | Medium The Client Hints proposal is already available in Google Chrome and makes for a very cost-effective way to detect (among other things) mobile devices.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface.

Other Articles You Might Be Interested In

01: Googlebot User Agent String
02: Google Chrome Change User Agent String
03: Google Chrome User Agent Mobile
04: Google Chrome User Agent String
05: Google Chrome User Agent Windows
06: Google Robot User Agent
07: Cisco Firepower User Agent Download
08: Cisco Firepower User Agent For Ad Download
09: Cisco User Agent 2.3
10: Cisco User Agent Download
1 -
2 -
3 -
4 -
5 -
6 -