This is just a quick hack that can determin the OS based on fingerprints of
packets on the network.  Lance Spitzner originally wrote a white paper
detailing the differences in packet info and described a way to try and
determine what OS the sender was using based on packet logs.  This is merely
a proof-of-concept of that white paper.  For more white papers by
Lance Spitzner (http://www.enteract.com/~lspitz)

This script is licensed under the GPL see COPYING for more info.

YOU'LL NEED
-----------
Net::RawIP	- You can get this from CPAN
libpcap		- If your distro doesn't have it check the README for RawIP

SYNTAX
------
./passivefingerprint.pl [store|print]

Without any options the program will watch all tcp packets and print an
OS guess.  There are two optional arguments (store and print):

store - Saves IP & OS to a berkely level 1 database file (traffic.db)
print - Prints this database file

The fingerprint file is called fingerprints.dat.  This file contains
the database to determine the OS based on packet info (DF, TTL, WINDOWSIZE)

MODIFICATIONS
-------------
Version 0.2
TOS is no longer used as a signature.  TOS is application dependent, so 
the same OS may have different TOS values depending on the application used 
(finger, telnet, ftp, etc..)

CONTRIBUTING
------------
Feel free to contribute any code you want.  We are looking for a code
modification that takes the average Window Size (say over five packets)
instead of looking at the Window Size of a single packet (which is how
it currently works).

AUTHOR INFO
-----------
Craig Smith (April 2000) craig@lintrox.com


USING WITH SOLARIS by Richard Tomkinson <rto17@qantas.com.au>
----------------------------------------------------------
libpcap
=======
I used version 3.5 . This will compile using standard 
/usr/ccs/bin/lex & yacc but whenever anything else that
needs it ( eg tcpdump )tries to compile it will throw 
a referencing error on yyflex in grammar.o. Compiling
using bison and flex fixes this problem.

BerkeleyDB  
==========
I used version 2.7.7 obtained from www.sleepycat.com. 
This compiled fine ( again with Bison and flex ).

DB_File
=======
Perl Module. I used version 1.73 obtained from CPAN. Just 
needed to do the usual hack of the Makefile to point to gcc.

Net-RawIP
=========
Perl Module. version 0.09 from CPAN. usual gcc hack and had 
to add in INCLUDE path to include wherever pcap.h was, in the 
CCFLAGS.

passivefingerprint.pl
=====================
By default this looks for /dev/eth0 as the NIC. Under Solaris, 
the NIC can be a number of devices. You can either link /dev/eth0 
to whatever your device is or change the hardcoding.
