OS fingerprinting in ntop

Posted on 2005-04-27
Last Modified: 2010-03-17
I  just started to run ntop. It's very nice.  Among other things it identifies the OS of the nodes on our net using something called  fingerprininting.  For like 100 out of 500 systems on our net it is able to do this.

How does fingerprinting work and how can I get ntop to identify the OS on the remaining 400 nodes?
Question by:veedar
    LVL 14

    Assisted Solution


        ntop uses the Ettercap database for it's optional OS Fingerprinting. This is PASSIVE
        fingerprinting - only the packets ntop sees during normal processing are used.
        We try to ship with a current version of the fingerprint database, but the latest
        can always be obtained from the home page or via "make dnetter" in your ntop source directory.

        (2.2 and prior versions used nmap, and did ACTIVE fingerprinting, but that was replaced with Ettercap in 3.0)

    Additional information on Ettercap is available from
    LVL 15

    Author Comment

    Thanks,  so there is nothing I can do except wait and give ntop time to sniff packets coming from these other systems.

    I'm wondering if I ping an un-fingerprinted system will it generate some packets fot ntop to see?
    LVL 14

    Expert Comment

    That might work.
    LVL 3

    Expert Comment

    you can also use nmap with -O option for fingerprinting
    LVL 7

    Expert Comment


    By default, ntop only reports fingerprints for local systems (that's the address from the NIC plus any -m ranges).  But at the bottom of the page is an option to try reporting on non-local systems.

    It often works, but remember that the routers in between the ntop host and the remote system may alter the characteristics that make up the fingerprint.

    -----Burton (
    LVL 7

    Accepted Solution

    In the source, is a #define (FINGERPRINT_DEBUG) you can enable to see the details (set this in globals-defines.h) of the resolution.

    But - ICMP won't do.  It's based on the characteristics of the SYN or SYN-ACK packets of the 3-way handshake for a tcp connection.

    Specifically (see program pbuf.c around line 1350) - it's the flags and values of that handshake packet.  Thinks like the Window size, fragment bits, etc.  Since these are not part of the standard, each different tcp/ip stack sets different values.  That's what makes up the "fingerprint".


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video discusses moving either the default database or any database to a new volume.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now