Nmap Development mailing list archives
Re: IPv6 Hop Limit as feature in FPEngine
From: Alexandru Geana <alex () alegen net>
Date: Tue, 24 Feb 2015 13:34:03 +0100
On 02/23, David Fifield wrote:
On Mon, Feb 23, 2015 at 10:00:44AM +0100, Alexandru Geana wrote:I am submitting two small patches which add the IPv6 Hop Limit field as a feature for OS probing and detection. I hope this is the first in a long line of future patches meant to improve the accuracy of OS detection over IPv6. One patch is for the nmap tree and the other is for nmap-exp/luis/ipv6tests. The patch tries to guess the initial value of the field (255, 128, 64 or 32) and considers each one a distinct class. Additionally, in FPEngine.cc I switched from "external" declarations to including a generated header file. The header file (FPModel.h) is created same as FPModel.cc by the train.py script in Luis' folder. The reason is consistency in the size of the FPMean and FPVariance matrices.This is great! I've only read the diff, but it looks good to me.
Nice to hear. I was rather shy to submit this but I guess it is not as bad as I thought.
I'm curious, what is the distribution of hoplimit values in our current database?
I had some pieces of code, scriptlets that I used when looking at this data. I "prettified" and added them to a single script file [1]. This is the output per each group in nmap.groups [2].
Are there any members of a class that appear not to belong because of a different hoplimit?
There are certain "anomalies" so to say. For example, the groups "VMware ESXi 5" and "OpenBSD 4.8" have one outlier each, which is not very bad I think. On the other hand, there are also groups such as "Linux 2.6.32 - 2.6.39" with hop limit values centered around 64 and 255 with the average around 157. It seems at some point during these two releases the default value was changed. Finally, there are also some groups which are consistent throughout all fingerprints such as "FreeBSD 9.1" ( 64 ) and "OpenWrt (Linux 3.3)" ( 57, not sure if they distribute all images with this value as the default ). [1] https://raw.githubusercontent.com/alegen/nmap/alegen/alegen/scripts/hlim_dist.py [2] https://raw.githubusercontent.com/alegen/nmap/alegen/alegen/scripts/hlim_dist_output.txt Best regards, Alexandru Geana alegen.net
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 23)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 23)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 24)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 24)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 26)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Feb 24)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 24)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 11)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 12)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 19)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 19)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 23)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Mar 23)
- Re: IPv6 Hop Limit as feature in FPEngine Alexandru Geana (Mar 26)
- Re: IPv6 Hop Limit as feature in FPEngine David Fifield (Feb 23)