OS fingerprinting in ntop

I  just started to run ntop. It's very nice.  Among other things it identifies the OS of the nodes on our net using something called  fingerprininting.  For like 100 out of 500 systems on our net it is able to do this.

How does fingerprinting work and how can I get ntop to identify the OS on the remaining 400 nodes?
LVL 15
Who is Participating?
In the source, is a #define (FINGERPRINT_DEBUG) you can enable to see the details (set this in globals-defines.h) of the resolution.

But - ICMP won't do.  It's based on the characteristics of the SYN or SYN-ACK packets of the 3-way handshake for a tcp connection.

Specifically (see program pbuf.c around line 1350) - it's the flags and values of that handshake packet.  Thinks like the Window size, fragment bits, etc.  Since these are not part of the standard, each different tcp/ip stack sets different values.  That's what makes up the "fingerprint".

From ntopsupport.org/doesitrun.html:

    ntop uses the Ettercap database for it's optional OS Fingerprinting. This is PASSIVE
    fingerprinting - only the packets ntop sees during normal processing are used.
    We try to ship with a current version of the fingerprint database, but the latest
    can always be obtained from the home page or via "make dnetter" in your ntop source directory.

    (2.2 and prior versions used nmap, and did ACTIVE fingerprinting, but that was replaced with Ettercap in 3.0)

Additional information on Ettercap is available from http://ettercap.sourceforge.net/
veedarAuthor Commented:
Thanks,  so there is nothing I can do except wait and give ntop time to sniff packets coming from these other systems.

I'm wondering if I ping an un-fingerprinted system will it generate some packets fot ntop to see?
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

That might work.
you can also use nmap with -O option for fingerprinting

By default, ntop only reports fingerprints for local systems (that's the address from the NIC plus any -m ranges).  But at the bottom of the page is an option to try reporting on non-local systems.

It often works, but remember that the routers in between the ntop host and the remote system may alter the characteristics that make up the fingerprint.

-----Burton (ntopSupport.com)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.