fix: wire prober tcpfp_fingerprint events into sniffer_rollup for OS/hop detection

The active prober emits tcpfp_fingerprint events with TTL, window, MSS etc.
from the attacker's SYN-ACK. These were invisible to the behavioral profiler
for two reasons:

1. target_ip (prober's field name for attacker IP) was not in _IP_FIELDS in
   collector/worker.py or correlation/parser.py, so the profiler re-parsed
   raw_lines and got attacker_ip=None, never attributing prober events to
   the attacker profile.

2. sniffer_rollup only handled tcp_syn_fingerprint (passive sniffer) and
   ignored tcpfp_fingerprint (active prober). Prober events use different
   field names: window_size/window_scale/sack_ok vs window/wscale/has_sack.

Changes:
- Add target_ip to _IP_FIELDS in collector and parser
- Add _PROBER_TCPFP_EVENT and _INITIAL_TTL table to behavioral.py
- sniffer_rollup now processes tcpfp_fingerprint: maps field names, derives
  OS from TTL via _os_from_ttl, computes hop_distance = initial_ttl - observed
- Expand prober DEFAULT_TCPFP_PORTS to [22,80,443,8080,8443,445,3389] for
  better SYN-ACK coverage on attacker machines
- Add 4 tests covering prober OS detection, hop distance, and field mapping

decnet/prober/worker.py

@@ -43,8 +43,9 @@ DEFAULT_PROBE_PORTS: list[int] = [
 # HASSHServer: common SSH server ports
 DEFAULT_SSH_PORTS: list[int] = [22, 2222, 22222, 2022]
 
-# TCP/IP stack: probe on common service ports
-DEFAULT_TCPFP_PORTS: list[int] = [80, 443]
+# TCP/IP stack: probe on ports commonly open on attacker machines.
+# Wide spread gives the best chance of a SYN-ACK for TTL/fingerprint extraction.
+DEFAULT_TCPFP_PORTS: list[int] = [22, 80, 443, 8080, 8443, 445, 3389]
 
 # ─── RFC 5424 formatting (inline, mirrors templates/*/decnet_logging.py) ─────