P0fq.pl and pack/unpack

Tue, 20 Feb 2007 09:58:58 -0800 



I am running passive OS fingerprinting tool p0f 
http://lcamtuf.coredump.cx/p0f.shtml as:


p0f -Q /var/run/p0f.sock -0 'dst port 25' >> /dev/null &

then run a test script p0fq.pl from the p0f source package.

./p0fq.pl /var/run/p0f.sock src_host 0 dst_host 25


The p0fq.pl test script works on X86 machine running Linux, but not on Mac 
running OS X/Yellow Dog Linux.



I suspect it might relate to the endianess of x86 and Mac, so by any 
chance,could any Perl gurus shed a light on me what's wrong with the p0fq.pl 
script. Should the template of pack/unpack be adjusted to fit Mac's big 
endian? I tried to use V to replace L, v to replace s,S in the template of 
pack/unpack, but still failed.


The p0fq.pl script is as following:

use strict;
use IO::Socket;
use Net::IP;

my $QUERY_MAGIC = 0x0defaced;
my $QTYPE_FINGERPRINT = 1;

die "usage: p0fq.pl p0f_socket src_ip src_port dst_ip dst_port"
  unless $#ARGV == 4;

# Convert the IPs and pack the request message
my $src = new Net::IP ($ARGV[1]) or die (Net::IP::Error());
my $dst = new Net::IP ($ARGV[3]) or die (Net::IP::Error());
print "$ARGV[1]\n";

my $query = pack("L L L N N S S", $QUERY_MAGIC, $QTYPE_FINGERPRINT, 
0x12345678,

                 $src->intip(), $dst->intip(), $ARGV[2], $ARGV[4]);

# Open the connection to p0f
my $sock = new IO::Socket::UNIX (Peer => $ARGV[0],
                                 Type => SOCK_STREAM);
die "Could not create socket: $!\n" unless $sock;

# Ask p0f
print $sock $query;
my $response = <$sock>;
close $sock;
# Extract the response from p0f
my ($magic, $id, $type, $genre, $detail, $dist, $link, $tos, $fw,
    $nat, $real, $score, $mflags, $uptime) =
  unpack ("L L C Z20 Z40 c Z30 Z30 C C C s S N", $response);
die "Bad response magic.\n" if $magic != $QUERY_MAGIC;
die "P0f did not honor our query.\n" if $type == 1;
die "This connection is not (no longer?) in the cache.\n" if $type == 2;

# Display result
print "Genre    : " . $genre . "\n";
print "Details  : " . $detail . "\n";
print "Distance : " . $dist . " hops\n";
print "Link     : " . $link . "\n";
print "Uptime   : " . $uptime . " hrs\n";

Thanks

Vincent Li
Blog            http://bl0g.blogdns.com

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
















    











					Reply via email to