Disco is a passive IP discovery and fingerprinting utility designed to sit on segments distributed throughout a network to discover unique IP's on the network. In addition to IP discovery disco has the ability to passively fingerprint TCP SYN packets and TCP SYNACK packets.
Disco v1.2 Features
An interesting note on fingerprinting SYNACK packets: If a TCP-SYN packet is sent to a system, the SYNACK reply does not necessarily have the same fingerprint as the sender, certain parts of the packet (MSS,DF,NOP,etc) will be chosen by the server. However, what the server returns in the SYNACK reply is sometimes dependent on the sender OS. For example a Windows sender may get a SYNACK signature reply that differs if the sender is a Linux box - which means you can still fingerprint the SYNACK you just need to have a much larger fingerprint database covering the signatures from various sending OS's.
Having the ability to fingerprint TCP-SYNACK packets is useful because when fingerprinting hosts in a passive mode there may be many hosts where you may never (or infrequently) see a TCP-SYN packet, such as a printer or other devices that don't generally initiate TCP communication. Another use is being able to fingerprint in a more active mode without generating any suspicious fingerprinting traffic, for example, fire up Disco in SYN / SYNACK mode (disco -i eth0 -S -A) and access the public web site of a host you would like to fingerprint. The traffic is just plain old web browsing traffic, nothing that will trigger an IDS, however, on your end you are fingerprinting the TCP-SYNACK packet of the sending host.
Download DISCO v1.2 (Linux and BSD)
or Download here DISCO v1.2 (Linux and BSD)
Download new fingerprint file - pre v1.2 format (06/16/2003): disco.fp
If you find bugs or have suggestions for improvement send me an email
download hosted at
(c) Preston Wood