For Programmers: Free Programming Magazines  


Home > Archive > PERL Beginners > February 2007 > P0fq.pl and pack/unpack









You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

 

Author P0fq.pl and pack/unpack
Vincent Li

2007-02-20, 6:58 pm



I am running passive OS fingerprinting tool p0f
http://lcamtuf.coredump.cx/p0f.shtml as:

p0f -Q /var/run/p0f.sock -0 'dst port 25' >> /dev/null &

then run a test script p0fq.pl from the p0f source package.

../p0fq.pl /var/run/p0f.sock src_host 0 dst_host 25

The p0fq.pl test script works on X86 machine running Linux, but not on Mac
running OS X/Yellow Dog Linux.

I suspect it might relate to the endianess of x86 and Mac, so by any
chance,could any Perl gurus shed a light on me what's wrong with the p0fq.pl
script. Should the template of pack/unpack be adjusted to fit Mac's big
endian? I tried to use V to replace L, v to replace s,S in the template of
pack/unpack, but still failed.

The p0fq.pl script is as following:

use strict;
use IO::Socket;
use Net::IP;

my $QUERY_MAGIC = 0x0defaced;
my $QTYPE_FINGERPRINT = 1;

die "usage: p0fq.pl p0f_socket src_ip src_port dst_ip dst_port"
unless $#ARGV == 4;

# Convert the IPs and pack the request message
my $src = new Net::IP ($ARGV[1]) or die (Net::IP::Error());
my $dst = new Net::IP ($ARGV[3]) or die (Net::IP::Error());
print "$ARGV[1]\n";
my $query = pack("L L L N N S S", $QUERY_MAGIC, $QTYPE_FINGERPRINT,
0x12345678,
$src->intip(), $dst->intip(), $ARGV[2], $ARGV[4]);

# Open the connection to p0f
my $sock = new IO::Socket::UNIX (Peer => $ARGV[0],
Type => SOCK_STREAM);
die "Could not create socket: $!\n" unless $sock;

# Ask p0f
print $sock $query;
my $response = <$sock>;
close $sock;
# Extract the response from p0f
my ($magic, $id, $type, $genre, $detail, $dist, $link, $tos, $fw,
$nat, $real, $score, $mflags, $uptime) =
unpack ("L L C Z20 Z40 c Z30 Z30 C C C s S N", $response);
die "Bad response magic.\n" if $magic != $QUERY_MAGIC;
die "P0f did not honor our query.\n" if $type == 1;
die "This connection is not (no longer?) in the cache.\n" if $type == 2;

# Display result
print "Genre : " . $genre . "\n";
print "Details : " . $detail . "\n";
print "Distance : " . $dist . " hops\n";
print "Link : " . $link . "\n";
print "Uptime : " . $uptime . " hrs\n";

Thanks

Vincent Li
Blog http://bl0g.blogdns.com
Sponsored Links







Also available: Server administration forum archive | Web Design forum archive | Software forum archive | Hardware reviews archive

Copyright 2008 codecomments.com