Stuart Henderson wrote:
On 2006/08/28 15:26, Daniel Ouellet wrote:
I have a list of 46K computers that from the logs are all the same OS,
patch, etc and I want to get the OSFP of it to see what it might be and
if that's the only connection with that specific signature.
If you log the traffic with pflogd, you can read the logfiles
with tcpdump -o which will lookup from /etc/pf.os to guess the
OS type.
Thanks. I got a good suggestion that look like might do the job. Will
know latter:
sudo tcpdump -o -lvvvnr /var/log/pflog 'tcp[13] &0x12 = 2'
I need first to increase the "snap len" for pflogd and then enter all
these IP's in a table and start logging.
Not sure if the results will be any use, but without doing it, I will
never know.
Last, as for the signature that may be different on the same computer if
control by a webbot, is that possible? I guess not as the TCP stack
isn't changed, but anyone know for sure? I am curious on that part.
