The new files have LOTS more signatures (basically the Ettercap file had not been maintained in two years). wc shows a lot more lines:
1329 fingerprint.ntop30 1747 fingerprint.ntop31 It's possible that a signature in the old file has been found to be applicable to multiple OSes. Incorrect signatures could have been removed (perhaps erroneously), etc. For example - this is just a random block of the diff between the two files: @@ -231,5 +272,8 @@ 1020:022C:FF:00:0:0:0:0:S:LT:Cisco 1750 IOS 12.0(5), Cisco 2500 IOS 11.3(1) -1020:022C:FF:WS:0:0:0:0:A:2C:Cisco IOS -1020:05B4:FF:WS:0:0:0:0:A:2C:Cisco IOS +1020:022C:FF:WS:0:0:0:0:A:2C:Cisco IOS 12.0(5) +1020:0564:FF:WS:0:0:0:0:A:2C:IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(8)T4,R +1020:05B4:FF:WS:0:0:0:0:A:2C:Cisco IOS 12.1.5-12.2.13a 1020:05B4:FF:WS:0:0:0:0:S:LT:Cisco 2611 IOS 11.3(2)XA4 +1020:6405:FF:WS:0:0:0:0:A:2C:Cisco IOS +1020:B405:FF:WS:0:0:0:0:A:2C:AIRONET1200 1020:_MSS:80:WS:0:0:0:0:A:LT:AS5200 Ettercap identified fingerprint "1020:05B4:FF:WS:0:0:0:0:A:2C" as "Cisco IOS", Ettercap-NG knows that it's more precisely 12.1.5-12.2.13a. You would need to grab the two files and look up the specific fingerprint to be sure what's going on. Understand that fingerprints are actually subtle differences in the (legal) implementation of the tcp/ip stack. But there's no master list. It's all based on people reporting what they've found. If somebody gives a credible but wrong report, that can easily get into the database. Even 'right' reports are only as good as the reporters knowledge (i.e. it's XP vs. XP build nnnn with hotfix yyyyyy). There is a page for reporting new fingerprints at http://ettercap.sourceforge.net/fingerprint.php -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stef Sent: Wednesday, December 01, 2004 11:18 PM To: [EMAIL PROTECTED] Subject: [Ntop] Today CSV ntop - question Got the CVS ntop announced today by Burton, and immediately installed it on my test box (Linux, not the Mac I was previously talking about). First thing I did (once I got it up and running) was to run a capture file which I have previously used with the 3.0 stable version. To my surprise, the data in the Host fingerprints (Local + Remote) section is different between the two versions, and not in regards to the OS's identified (which would be normal, if the signatures were newer), but rather in regards to the content of the cells corresponding to identified hosts - for example: ntop 3.0 stable: host with IP1, identified as Windows XP/ME/2K, has as entries all usernames attempted in various sessions (2 SMTP, 5 FTP) ntop 3.1 from CVS: host with IP1, identified as "precisely" Windows 2K (more specific - good thing, I guess) has only a few entries in the cell (only 1 FTP and 2 SMTP entries) Doing an ngrep for the strings (usernames) identified with ntop 3.0 ==> found them all in the capture file. So the question is: what changed in 3.1 that leaves such entries out?!? TIA, Stef _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
