[Ntop] OS Finger Printing

Jim Richard JRichard at SciQuest.com
Tue Feb 24 02:55:17 CET 2009 

All:

I've been running ntop for 3 weeks. Overall I'm very pleased. I'm
running on RHEL 5, on switch a port mirrored from my internet firewall's
internal nic ( just picking up wire traffic). I am currently running
3.3.6 sourced as an rpm from the RedHat EPEL yum repository. I've also
down loaded the sources for ntop 3.3.6. When setting up Os
Fingerprinting I noticed in my log that 0 finger prints were loaded.
gzcatting the file etter.finger.os.gz in both /etc/ntop and in my source
directory resulted in "gzcat: etter.finger.os.gz: not in gzip format". I
downloaded ettercap sources and replaced my /etc/ntop/etter.finger.os.gz
but the fingerprints were years out of date. 

I ran autogen.sh in my source tree, and resolved a few issues then
checked the make file for the dnetter target. And found that the URL for
the ettercap fingerprint file is broken
"http://cvs.sourceforge.net/viewcvs.py/ettercap/ettercap_ng/share", I
did some more digging and located the current url and built it with the
dnetter makefile target. The current URL is:

	
"http://ettercap.cvs.sourceforge.net/viewvc/ettercap/ettercap_ng/share"

The makefile variable below should be updated accordingly: 

	ETTER_PASSIVE_DOWNLOAD_FROM=

After making the changes described above I was able to run "make
dnetter" to retrieve, and zip the file. I then copied the fingerprint
file to /etc/ntop. Once that was done I restarted ntop and I'm happy to
say that os fingerprinting is now working as expected, though with some
caveats:

*	VmWare Guests fingerprint as Linux, though they are windows. 
*	UnBuntu Linux shows as Debian
*	Some up level windows hosts show as win98.

	... etc. 

But these are ettercap issues not ntop. I hope this helps others with
fingerprinting under ntop. The good news is that except for the Windows
guests under VmWare Windows is reporting as windows and Linux is
reporting as Linux.

Best Regards, 

Jim Richard


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listgateway.unipi.it/pipermail/ntop/attachments/20090223/a488d4cf/attachment.html

More information about the Ntop mailing list