Automatic passive OS fingerprinting

[gatemed]

Hello guys,

I'm looking for a tool to gather informations about hosts connected to my network (eventualy pirates hosts), the only way that I found to do that on a passive way (not active by discovering the whole network everytime using nmap or snmp scan for example), are tools like ettercap and p0f or python scapy with passive OS fingerprinting, but what I need is to gather informations on host each time a new one is discovered, so ettercap (or another tool) have to send me this information in real time, i'm trying to use API that those tools gives but they don't work this way.

For example, I tried with p0f tool (which ettercap use too I think) using his API, and I can ask information about an IP address or a couple of IP address (or the whole network) but this is not good for me since I don't want to ask for that everytime but I need to make it automatic or easier, so basically I want to have a server (mine) who will receive hosts informations from a tool like ettercap.

The other way I tired is to code a packet sniffer like ettercap, which is in fact a really basic packet analyzer, but this way I can only have basics informations such as IP and MAC address, but ettercap give some more interesting informations like operating systems and some other informations.

I can also pars the log file of a tool but this is not a good way too, since I have to pars this log file each time.

Is there a specific tool who can make this possible? I know it's possible, all I need is a little clue and I don't know where I can find it.

Thanks in advance,

Regards.

[digininja]

Are you able to get a network tap or are you just working off broadcast traffic?

Have you got a budget or looking for free stuff?

[gatemed]

Hello and thanks for you answer, but why do I have to use network tap ? There is no tool that can do what I want ?

And acutally I want to do it by myself without buying anathing

[digininja]

You don't have to use a network tap but if you do then it sees all network traffic, without one you either see only broadcast traffic or you have to mess with ARP poisoning, the first you will miss a lot, the second you'll probably break your network.

Try taking a look at the Security Onion distro, it is more IDS orientated but may have the tools you want. Also check out NetworkMiner http://www.netresec.com/?page=NetworkMiner

[gatemed]

I think that Onion distro use the same tools I'm using (such ettercap and some IDS) but thanks for the help, I'm going to try learning "python scapy" further and see If it helps .