Thank you for your extensive explanation, but this is not what I was trying to raise your awareness about. What you're talking about is a by-product ;) I am sorry if I my email was misleading, or unclear. I will try to be more specific. The reason for bringing up the (better in my opinion) signatures was for completeness reasons, but has nothing to do with the the issue I was trying to raise. Let me be more specific.
- under ntop 3.0, after having "read in" a whole trace file, in the Fingerprint "page", in the table, at the "cross-road" (common cell) between the row with the IP address, and the column identifying the OS, I have five entries (unfortunately I am at work now, so I will have to write these from memory): anonymou [ FTP ] ftp [ FTP ] [EMAIL PROTECTED] [ SMTP ] none [ FTP ] + [ FTP ] tail|s [ SMTP ] somethi/ [ FTP ] - under ntop 3.1CVS12-10-04, even though the column is not different (a better OS identification), at the cell cross road I now have only: ftp [ FTP ] [EMAIL PROTECTED] [ SMTP ] none [ FTP ] ... and, as I said, I have ngrep-ed the trace fild and found anonymous as a username in an ftp session related to that system, so there is something different in the way FTP and SMTP (at least) records appear in the host fingerprinting ... Does it make sense now? Thx, Stef On Thu, 2 Dec 2004 07:53:42 -0600, Burton Strauss <[EMAIL PROTECTED]> wrote: > The new files have LOTS more signatures (basically the Ettercap file had not > been maintained in two years). wc shows a lot more lines: > > 1329 fingerprint.ntop30 > 1747 fingerprint.ntop31 > > It's possible that a signature in the old file has been found to be > applicable to multiple OSes. Incorrect signatures could have been removed > (perhaps erroneously), etc. > > For example - this is just a random block of the diff between the two files: > > @@ -231,5 +272,8 @@ > 1020:022C:FF:00:0:0:0:0:S:LT:Cisco 1750 IOS 12.0(5), Cisco 2500 IOS 11.3(1) > -1020:022C:FF:WS:0:0:0:0:A:2C:Cisco IOS > -1020:05B4:FF:WS:0:0:0:0:A:2C:Cisco IOS > +1020:022C:FF:WS:0:0:0:0:A:2C:Cisco IOS 12.0(5) > +1020:0564:FF:WS:0:0:0:0:A:2C:IOS (tm) C2600 Software (C2600-IS-M), Version > 12.2(8)T4,R > +1020:05B4:FF:WS:0:0:0:0:A:2C:Cisco IOS 12.1.5-12.2.13a > 1020:05B4:FF:WS:0:0:0:0:S:LT:Cisco 2611 IOS 11.3(2)XA4 > +1020:6405:FF:WS:0:0:0:0:A:2C:Cisco IOS > +1020:B405:FF:WS:0:0:0:0:A:2C:AIRONET1200 > 1020:_MSS:80:WS:0:0:0:0:A:LT:AS5200 > > Ettercap identified fingerprint "1020:05B4:FF:WS:0:0:0:0:A:2C" as "Cisco > IOS", Ettercap-NG knows that it's more precisely 12.1.5-12.2.13a. > > You would need to grab the two files and look up the specific fingerprint to > be sure what's going on. > > Understand that fingerprints are actually subtle differences in the (legal) > implementation of the tcp/ip stack. But there's no master list. It's all > based on people reporting what they've found. If somebody gives a credible > but wrong report, that can easily get into the database. Even 'right' > reports are only as good as the reporters knowledge (i.e. it's XP vs. XP > build nnnn with hotfix yyyyyy). > > There is a page for reporting new fingerprints at > http://ettercap.sourceforge.net/fingerprint.php > > -----Burton > > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stef > Sent: Wednesday, December 01, 2004 11:18 PM > To: [EMAIL PROTECTED] > Subject: [Ntop] Today CSV ntop - question > > Got the CVS ntop announced today by Burton, and immediately installed it on > my test box (Linux, not the Mac I was previously talking about). > First thing I did (once I got it up and running) was to run a capture file > which I have previously used with the 3.0 stable version. To my surprise, > the data in the Host fingerprints (Local + Remote) section is different > between the two versions, and not in regards to the OS's identified (which > would be normal, if the signatures were newer), but rather in regards to the > content of the cells corresponding to identified hosts - for example: > > ntop 3.0 stable: > host with IP1, identified as Windows XP/ME/2K, has as entries all usernames > attempted in various sessions (2 SMTP, 5 FTP) ntop 3.1 from CVS: > host with IP1, identified as "precisely" Windows 2K (more specific - good > thing, I guess) has only a few entries in the cell (only 1 FTP and 2 SMTP > entries) > > Doing an ngrep for the strings (usernames) identified with ntop 3.0 ==> > found them all in the capture file. So the question is: what changed in 3.1 > that leaves such entries out?!? > > TIA, > Stef > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
