Hi again Michal, I hacked a bit at the 'p0f' development source code to have your passive os fingerprinting utility splitted into a library 'libp0f.a' and the classic main application 'p0f'.
I planned to use the library both into the Packet Shell 'pksh' as completely new fingeprinting cacabilities and into 'ntop' as a modern replacement of the 'ettercap' database, no longer updated. I have a preliminary version of my hacked work just to show you how things could be done. This version is so far to be completed, but I need your feedback. Basically I have copied the p0f.c into libp0f.c and have enclosed some functions and parts of the code between #if defined(P0F_MAIN) #endif /* P0F_MAIN */ accordingly to the rough function table: die_nicely() => main grab_name() => library set_header() => library display_signature() => library usage() => main dump_packet() => library collide() => library dump_payload() => library load_config() => library find_match() => library lookup_link() => library parse() => library lookup_tos() => library main() => main put_date() => library Some rules added into the Makefile are responsible for the generation of both 'libp0f.a' and 'classic-p0f' targets. The Makefile can split the p0f into a general purpose library 'libp0f.a' for passive OS fingerprinting and the classic p0f application. Why? Several network tools can benefit of that. I will use the libp0f library for OS fingerprinting into my 'pksh'. just 'make hack' does the job and 'make nohack' does cleanup. I also included into the distribution a very simple program 'pcap-helloworld.c' I wrote just as a demostration about how to use the pcap library and adapted now to use the new library 'libp0f.a' for the purpose of os fingerprinting. after you have compiled the hacked sources you can check how the program works with: [1] [EMAIL PROTECTED] 3158> sudo ./hello-pcap -q hello-pcap: interface => 'eth0' hello-pcap: data-link => Ethernet [EN10MB] hello-pcap: network => 10.96.4.0 hello-pcap: netmask => 255.255.252.0 hello-pcap: no filter expression has been currently set for interface 'eth0' hello-pcap: Ready, now listening from 'eth0' using libpcap version 0.9.8 10.96.4.119:58634 - UNKNOWN [S4:64:1:60:M1460,S,T,N,W7:.:?:?] [high throughput] (up: 2046 hrs) -> 10.96.4.115:23 (link: ethernet/modem) .......... .......... You can download the hacked p0f version at: http://pksh.tecsiel.it/hacked-p0f-2.0.8.tar.gz I will work again on this issue to have a minimalist and well working os fingerprinting library. hope it helps. /rocco ps. some variables/types should be changed too in order to avoid warning: pointer targets in assignment differ in signedness if the -Wall flag is used with gcc. eg. ttl in fpentry.h should be _u16 not _u8 I avoided to do this now because it is out of scope -- Rocco Carbone mail-to: <rocco /at/ tecsiel /dot/ it> Pisa Italy Life is in the details In other words, you are welcome to use, share and improve me. You are forbidden to forbid anyone else to use, share and improve what I gave you. _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
