Giampaolo, > 1) it could consume even less cpu and memory; > 2) using a pipe to vector data to the p0f-analyzer.pl is an ugly technique [...]
I have nothing against extending p0f to satisfy queries with missing port numbers, actually I'm very happy someone decided to do this eventually. Writing p0f-analyzer.pl was just my quick solution to an immediate problem. If p0f will provide an UDP-based query protocol (or some other mechanism to be able to answer queries from a remote host) and be able to supply the information, I can easily adjust client code in amavisd-new to take advantage of it. I chose UDP because it is very lightweight and does not require making up and tearing down sessions, or keeping evidence of clients in the server's IP stack. A potential packet loss is not serious, and is rare on the same LAN. > > Make sure to consider IPv6 addresses in new development work. > Actually, p0f is not designed to sample any activity on the IPv6 stack I know, and that is quite unfortunate, as we are missing p0f info on mail that arrives over IPv6. I just wanted to put you in the right direction when devising a protocol, so that it won't need to be changed when p0f eventually starts supporting snooping on IPv6. Hint, hint... > It will be dst-address/dst-port/src-address/src-port/nonce. > Wildcards can be applied to the src-port field. Perfect. Mark ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/