Satori - Passive OS fingerprinting, revisited

From Thierry Zoller, Full-disclosure List
" ...
I started using this tool last year ago and it became immediately obvious to me that this is a great tool to have. It's name is Satori, if you never heard about it that's not a proof the tool is no good but rather that it's Author Eric Kollman does not really seem to care if you do (or at least doesn't scream it from the top of every house)

I found out about Satori while reading the paper "Chatter on the Wire"[pdf] (from the same author) which goes into great length about passive OS fingerprinting and it's potential for improvement as done by several other tools. What is interesting is that the paper was not only theoretical but rather practical, it's outcome was Satori, a beautiful plug-in based Passive enumeration and Fingerprinting tool.

Satori uses Winpcap and captures packets passively at the NDIS level, every packet flying by is being scrutinised for information that might determine it's OS. Nothing new here you might say, well Satori doesthe fingerprinting on : DHCP, BOOTP, ICMP, TCP, CDP, EIGRP, HPSP , HSRP, HTTP, ICMP, IPX, SMB, SNMP, STP, UPNP precisely enough to either correlate the results with nmap or to rely on them. It makes spotting potential vulnerable systems a breeze.
... "