Host fingerprinting using sFlow

From: Peter Phaal (
Date: 02/02/04

  • Next message: Peter Phaal: "Re: Finalizing sFlow Version 5"

    If you are interested in passively identifying host operating systems using
    network traffic then the p0f utility <
    > appears to work quite well with sFlow. Host fingerprinting has a variety
    of uses, including: auditing the types of machine connected to your network
    and characterizing hostile traffic.

    In order to use p0f with sFlow you will need to use sflowtool < >. Most packet analysis tools
    such as p0f, tcpdump, snort etc. use libpcap to capture packet headers.
    sflowtool provides a mechanism for converting sflow to libpcap format. For
    example, the following command runs p0f in conjunction with sflowtool:
    sflowtool -t | p0f -s -


    Peter Phaal
    InMon Corp.

    This archive was generated by hypermail 2.1.4 : 02/02/04 PST