anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(fingerprint): ToS/DSCP/ECN extraction in active + passive TCP fingerprint

Browse Source 
Active prober now reads ip.tos from the SYN-ACK and emits tos/dscp/ecn
alongside the existing TTL/window/options fields. dscp is folded into the
fingerprint hash so different DSCP markings produce distinct signatures.

Passive sniffer logs the same three fields on tcp_syn_fingerprint events;
profiler rollup carries them into the attacker tcp_fingerprint snapshot;
AttackerDetail's TCP STACK panel now surfaces DSCP and ECN cells.
This commit is contained in:
anti
2026-04-26 20:25:37 -04:00
parent 453ab177b4
commit b0b08754d0
7 changed files with 131 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
decnet/sniffer/fingerprint.py
View File

@@ -1056,6 +1056,9 @@ class SnifferEngine:
options_sig=tcp_fp["options_sig"],
has_sack=str(tcp_fp["sack_ok"]).lower(),
has_timestamps=str(tcp_fp["has_timestamps"]).lower(),
tos=str(int(getattr(ip, "tos", 0))),
dscp=str((int(getattr(ip, "tos", 0)) >> 2) & 0x3F),
ecn=str(int(getattr(ip, "tos", 0)) & 0x3),
os_guess=os_label,
)