Host fingerprinting using sFlow

From: Peter Phaal (peter.phaal@inmon.com)
Date: 02/02/04

Next message: Peter Phaal: "Re: Finalizing sFlow Version 5"

Previous message: Kazuaki Tsuchiya: "Hitachi is sFlow ready"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

If you are interested in passively identifying host operating systems using
network traffic then the p0f utility < http://lcamtuf.coredump.cx/p0f.shtml
> appears to work quite well with sFlow. Host fingerprinting has a variety
of uses, including: auditing the types of machine connected to your network
and characterizing hostile traffic.

In order to use p0f with sFlow you will need to use sflowtool <
http://www.inmon.com/technology/sflowTools.php >. Most packet analysis tools
such as p0f, tcpdump, snort etc. use libpcap to capture packet headers.
sflowtool provides a mechanism for converting sflow to libpcap format. For
example, the following command runs p0f in conjunction with sflowtool:
sflowtool -t | p0f -s -

Peter

----------------------
Peter Phaal
InMon Corp.

Peter.Phaal@inmon.com

Next message: Peter Phaal: "Re: Finalizing sFlow Version 5"
Previous message: Kazuaki Tsuchiya: "Hitachi is sFlow ready"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.4 : 02/02/04 PST