Dockerfile

FROM ubuntu:16.04

RUN apt-get update && apt-get install -qq -y build-essential nodejs libpq-dev git ca-certificates libpcap-dev python3 python3-pip

ENV INSTALL_PATH /src
RUN mkdir -p $INSTALL_PATH

WORKDIR $INSTALL_PATH
RUN git clone https://github.com/p0f/p0f.git \
&& cd p0f \
&& make

CMD cd && ldconfig

fingerprint.py

#!/usr/bin/env python3
import hashlib

BULK=2500

conns_per_os = {}
flow_events = {}

filepath = '/mnt/pcap/sample_pcap.syn.result'
with open(filepath) as fp:
    count = 0
    for line in iter(fp):
        count += 1
        structured = {}
        #content = line.split(" ")[2]
        data = line[22:-1].split("|")
        for item in data:
            kv = item.split("=")
            if kv[0] == 'cli' or kv[0] == 'srv':
                kv[1] = kv[1].split("/")[0]
            structured[kv[0]] = kv[1]
        if "os" in structured:
            ident = (structured["cli"] + structured["srv"]).encode('utf-8')
            sha = hashlib.sha224(ident).hexdigest()
            if sha not in flow_events:
                flow_events[sha] = {}
            flow_events[sha]["cli"] = structured["cli"]
            flow_events[sha]["srv"] = structured["srv"]
            flow_events[sha]["os"] = structured["os"]
            if structured["os"] in conns_per_os:
                conns_per_os[structured["os"]] += 1
            else:
                conns_per_os[structured["os"]] = 0
        #if count % BULK == 0:
        #    print(sha)

count = 0
for k, v in flow_events.items():
    count +=1
    print(v)
print(count)