> How does this interact with syn-proxy ? It'll work find if you add the "OS <string>" modifier on the syn-proxy line. You won't get an accurate fingerprint onthe outbound direction after it goes through the syn proxy. > I would like other types of SYN packets to be added to the database. > I'm talking about those that aren't created by a OS stack, but tools like > hping, nmap, ettercap, firewalk...
NMAP is already included. The quickest way to add them (if they're unique and use a SYN packet) is to down load the beta p0f at http://lcamtuf.coredump.cx/p0f-beta.tgz. Run it while you're scanning, copy the fingerprint and adapt it to our format. The p0f fingerprints have an OS and a Desc field. We have an OS, a Version, a subtype/patchlevel and an overall description field. The format is documented if the pf.os man page and in /etc/pf.os itself. .mike
