Learn how to a build a cloud-first strategyRegister Now


OS fingerprinting in ntop

Posted on 2005-04-27
Medium Priority
Last Modified: 2010-03-17
I  just started to run ntop. It's very nice.  Among other things it identifies the OS of the nodes on our net using something called  fingerprininting.  For like 100 out of 500 systems on our net it is able to do this.

How does fingerprinting work and how can I get ntop to identify the OS on the remaining 400 nodes?
Question by:veedar
LVL 14

Assisted Solution

chris_calabrese earned 400 total points
ID: 13878429
From ntopsupport.org/doesitrun.html:

    ntop uses the Ettercap database for it's optional OS Fingerprinting. This is PASSIVE
    fingerprinting - only the packets ntop sees during normal processing are used.
    We try to ship with a current version of the fingerprint database, but the latest
    can always be obtained from the home page or via "make dnetter" in your ntop source directory.

    (2.2 and prior versions used nmap, and did ACTIVE fingerprinting, but that was replaced with Ettercap in 3.0)

Additional information on Ettercap is available from http://ettercap.sourceforge.net/
LVL 15

Author Comment

ID: 13878660
Thanks,  so there is nothing I can do except wait and give ntop time to sniff packets coming from these other systems.

I'm wondering if I ping an un-fingerprinted system will it generate some packets fot ntop to see?
LVL 14

Expert Comment

ID: 13878784
That might work.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Expert Comment

ID: 13883124
you can also use nmap with -O option for fingerprinting

Expert Comment

ID: 13904521

By default, ntop only reports fingerprints for local systems (that's the address from the NIC plus any -m ranges).  But at the bottom of the page is an option to try reporting on non-local systems.

It often works, but remember that the routers in between the ntop host and the remote system may alter the characteristics that make up the fingerprint.

-----Burton (ntopSupport.com)

Accepted Solution

bstrauss3 earned 1600 total points
ID: 13904552
In the source, is a #define (FINGERPRINT_DEBUG) you can enable to see the details (set this in globals-defines.h) of the resolution.

But - ICMP won't do.  It's based on the characteristics of the SYN or SYN-ACK packets of the 3-way handshake for a tcp connection.

Specifically (see program pbuf.c around line 1350) - it's the flags and values of that handshake packet.  Thinks like the Window size, fragment bits, etc.  Since these are not part of the standard, each different tcp/ip stack sets different values.  That's what makes up the "fingerprint".


Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question