diff -uNr p0f-1.7.ver2/Makefile p0f-1.8/Makefile
--- p0f-1.7.ver2/Makefile	Tue Jun 13 14:45:06 2000
+++ p0f-1.8/Makefile	Fri Nov 16 02:41:13 2001
@@ -1,6 +1,7 @@
 #
 # p0f - passive OS fingerprinting
 # (c) <lcamtuf@tpi.pl>
+# Maintained by William Stearns <wstearns@pobox.com>
 #
 
 CC      = gcc
@@ -9,9 +10,9 @@
 STRIP	= strip
 CFLAGS  = -O3 -Wall
 FILE	= p0f
-VERSION = 1.7
+VERSION = 1.8
 
-DISTRO  = p0f.c Makefile README COPYING tcp.h p0f.fp
+DISTRO  = p0f.c Makefile README COPYING tcp.h p0f.fp p0f.init
 
 all: $(FILE) strip	
 
@@ -30,12 +31,21 @@
 	mkdir -m 755 p0f-$(VERSION)
 	cp $(DISTRO) p0f-$(VERSION)/
 	chmod 644 p0f-$(VERSION)/*
-	tar cfvz /$(FILE).tgz p0f-$(VERSION)
-	chmod 644 /$(FILE).tgz
-	rm -rf p0f-$(VERSION)
+	tar cfvz /tmp/$(FILE).tgz p0f-$(VERSION)
+	chmod 644 /tmp/$(FILE).tgz
+	#rm -rf p0f-$(VERSION)
 
 publish: tgz
-	scp /p0f.tgz lcamtuf@dione.ids.pl:public_html/p0f.tgz
-	scp /p0f.tgz lcamtuf@dione.ids.pl:public_html/p0f-$(VERSION).tgz
-	rm -f /p0f.tgz
+	#scp /tmp/p0f.tgz lcamtuf@dione.ids.pl:public_html/p0f.tgz
+	#scp /tmp/p0f.tgz lcamtuf@dione.ids.pl:public_html/p0f-$(VERSION).tgz
+	#rm -f /tmp/p0f.tgz
 	
+
+install: $(FILE)
+	cp -p p0f.fp $(DESTDIR)/etc
+	cp -p p0f.init $(DESTDIR)/etc/init.d/p0f
+	mkdir --parents $(DESTDIR)/usr/share/doc/p0f-$(VERSION)
+	cp -p COPYING README $(DESTDIR)/usr/share/doc/p0f-$(VERSION)
+	cp -p p0f $(DESTDIR)/usr/sbin
+	chmod 755 $(DESTDIR)/etc/init.d/p0f $(DESTDIR)/usr/sbin/p0f
+
diff -uNr p0f-1.7.ver2/README p0f-1.8/README
--- p0f-1.7.ver2/README	Tue Jun 13 14:45:06 2000
+++ p0f-1.8/README	Fri Nov 16 14:44:19 2001
@@ -6,13 +6,32 @@
                     "Dr. Jekyll had something to Hyde"
 		    
                       passive OS fingerprinting tool
-                       version 1.7 <lcamtuf@tpi.pl>
+                       version 1.8 <lcamtuf@tpi.pl>
+		       and <wstearns@pobox.com>
 
  		    -= buffer0verfl0w security team =-
 		       
-                      http://lcamtuf.hack.pl/p0f.tgz
+		      http://lcamtuf.hack.pl/p0f.tgz
+		               and
+                      http://www.stearns.org/p0f/
 
 
+News:
+
+  * 2001/11/16
+
+  Michal has decided that he does not have the time to work on p0f at
+  the moment, so he's handed the torch to me, William Stearns
+  <wstearns@pobox.com>.  I'll be doing mostly maintenance releases for
+  the moment.
+  
+  The new site for the code is http://www.stearns.org/p0f/ .  Please
+  send any bug reports, suggestions, patches, and fingerprints to
+  wstearns@pobox.com .  Thanks!
+
+  Many, many thanks to Michal for all his work.  The parts of the code
+  that work are his, the bugs are mine.  ;-)
+
 Special thanks to:
 
   * Lance Spitzner for whitepaper on passive OS fingerprinting:
@@ -109,7 +128,7 @@
   In this case, simply issue:
   
   ln -s /usr/include/pcap/pcap.h /usr/include/
-  ln -s /usr/include/pcap/net/bsf.h /usr/include/net/
+  ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
   
   NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
   please send OS signature and system description to author. Thanks :)
@@ -119,8 +138,11 @@
   - NetBSD  
   - FreeBSD
   - OpenBSD
-  - Linux 2.0/2.2
+  - Linux 2.0/2.2/2.4
+    http://www.stearns.org/p0f/
   - Solaris 2.6-2.7
+  - LinuxPPC
+    http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html
   
   Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x;
             GNU egrep (for proper Makefile processing)
@@ -175,4 +197,4 @@
   OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
   OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
        
--- Michal Zalewski <lcamtuf@tpi.pl>
+-- Michal Zalewski <lcamtuf@tpi.pl> and William Stearns <wstearns@pobox.com>
diff -uNr p0f-1.7.ver2/p0f.c p0f-1.8/p0f.c
--- p0f-1.7.ver2/p0f.c	Tue Jun 13 14:45:06 2000
+++ p0f-1.8/p0f.c	Fri Nov 16 02:50:16 2001
@@ -3,6 +3,7 @@
   p0f - passive OS fingerprinting
   -------------------------------
   (c) <lcamtuf@tpi.pl>
+  Maintained by William Stearns <wstearns@pobox.com>
   
   The p0f utility and related utilities are free software; you can
   redistribute it and/or modify it under the terms of the GNU Library
@@ -27,6 +28,7 @@
 #include <arpa/inet.h>
 #include <signal.h>
 #include <unistd.h>
+#include <net/bpf.h>
 
 #include "tcp.h"
 #define MAXFPS 1000
@@ -56,6 +58,41 @@
 
 void lookup(void);
 
+void set_header_len(int type){
+  switch(type){
+    case DLT_NULL:
+#ifdef DLT_RAW
+    case DLT_RAW:
+#endif
+    case DLT_SLIP:
+      header_len=0;
+      break;
+    case DLT_EN10MB:
+      header_len=14;
+      break;
+    case DLT_PPP:
+#ifdef DLT_LOOP
+    case DLT_LOOP:
+#endif
+      header_len=4;
+      break;
+    case DLT_IEEE802:
+      header_len=22;
+      break;
+#ifdef DLT_PFLOG
+    case DLT_PFLOG:
+      header_len=28;
+      break;
+#endif
+    default:
+      fprintf(stderr,"p0f: unknown datalink type %d.\n",type);
+      break;
+  }
+}
+
+
+
+
 void parse(u_char *blabla, struct pcap_pkthdr *pph, u_char *packet) {
   struct iphdr *iph;
   struct tcphdr *tcph;
@@ -65,10 +102,7 @@
   if (pph->len < header_len+sizeof(struct iphdr)+sizeof(struct tcphdr)) {
     return;
   }
-  // Rare tropical disease ugly dirty obfuscated hack ;>
-  iph=(struct iphdr*) (packet);
-  if ((iph->ihl>>4)!=4 || iph->protocol!=IPPROTO_TCP)
-    iph=(struct iphdr*)(packet+header_len);
+  iph=(struct iphdr*)(packet+header_len);
   if ((iph->ihl>>4)!=4 || iph->protocol!=IPPROTO_TCP) {
     int a,b;
     iph=(struct iphdr*) (packet);
@@ -260,7 +294,11 @@
 
   /* set a reasonable default fingerprint file */
   if (!filename || !*filename)
+#ifdef SYSCONFDIR
+    filename = SYSCONFDIR "/p0f.fp";
+#else
     filename = "/etc/p0f.fp";
+#endif
 
   /* anything left after getopt'ing is a rule */
   if (argv[optind] && *(argv[optind]))
@@ -269,7 +307,7 @@
   if (!ifa) ifa=pcap_lookupdev(errbuf);
   if (!ifa) { ifa="lo"; }
   
-  fprintf(stderr, "p0f: passive os fingerprinting ver. " VER " by <lcamtuf@tpi.pl>\n");
+  fprintf(stderr, "p0f: passive os fingerprinting ver. " VER " by <lcamtuf@tpi.pl> and <wstearns@pobox.com>\n");
   
   if (s && inputfile && *inputfile) {
     if ((pt=pcap_open_offline(inputfile, errbuf))==NULL) {
@@ -282,6 +320,8 @@
       exit(1);
     }
   }
+
+  set_header_len(pcap_datalink(pt));
 
   signal(SIGINT,&die_nicely);
   signal(SIGTERM,&die_nicely);
diff -uNr p0f-1.7.ver2/p0f.fp p0f-1.8/p0f.fp
--- p0f-1.7.ver2/p0f.fp	Tue Jun 13 14:45:06 2000
+++ p0f-1.8/p0f.fp	Sat Nov 17 15:57:13 2001
@@ -29,8 +29,8 @@
 #
 
 31072:64:3884:1:0:1:1:Linux 2.2.12-20 (RH 6.1)
-512:64:1460:0:0:0:0:Linux 2.0.38
-32120:64:1460:1:0:1:1:Linux 2.2.14 or Cobalt Linux 2.2.12C3
+512:64:1460:0:0:0:0:Linux 2.0.35 - 2.0.38
+32120:64:1460:1:0:1:1:Linux 2.2.9-2.2.18pre21 or Cobalt Linux 2.2.12C3
 16384:64:1460:1:0:0:0:FreeBSD 4.0-STABLE, 3.2-RELEASE
 8760:64:1460:1:0:0:0:Solaris 2.6 (2)
 9140:255:9140:1:0:0:0:Solaris 2.6 (sunsite)
@@ -54,7 +54,7 @@
 24820:64:1460:1:0:0:0:SCO UnixWare 7.0.1
 32768:64:1460:1:0:0:0:HP-UX B.10.01 A 9000/712
 16384:64:512:0:0:0:0:AIX 3.2, 4.2 - 4.3
-32768:64:1460:1:0:0:1:Digital UNIX V4.0E
+32768:64:1460:1:0:0:1:Digital UNIX V4.0E, Mac OS X
 32694:255:536:0:0:0:0:3Com HiPer ARC, System V4.2.32
 4128:255:556:0:0:0:0:Cisco 1750 IOS 12.0(5), Cisco 2500 IOS 11.3(1)
 4128:255:556:0:0:0:0:Cisco 3600 IOS Version 12.0(7)
@@ -64,7 +64,7 @@
 32120:64:1460:1:190:1:1:Linux 2.2.16
 32696:64:536:0:0:1:1:SCO UnixWare 7.1.0 x86
 24820:64:1460:1:0:0:1:SCO UnixWare 7.1.0 x86
-32120:58:1460:0:-1:0:0:Linux 2.0.38
+32120:58:1460:0:-1:0:0:Linux 2.0.38 sig 2
 65535:128:1368:1:-1:0:0:BorderManager 3.5
 33580:255:1460:1:-1:0:0:Solaris 7
 8192:128:25443:1:-1:1:1:Microsoft NT 4.0 Server SP5
@@ -89,4 +89,21 @@
 32120:64:1460:1:101:1:1:Linux 2.2.15
 32120:64:1460:0:-1:0:0:Linux 2.0.33
 512:64:1460:0:52:0:0:Linux 2.0.33
+32120:64:1460:0:0:1:1:Linux 2.2.19
+5840:64:1460:1:0:1:1:Linux 2.4.2 - 2.4.14
+32768:255:1460:1:0:0:1:Mac OS 9
+65535:255:1460:1:1:0:1:Mac OS 9
+24820:63:1460:1:-1:1:1:SunOS 5.8
+32768:32:1460:1:-1:0:0:Windows CE 3.0 (Ipaq 3670)
+32768:32:1460:1:-1:0:1:Windows CE 3.0 (Ipaq 3670)
+24820:64:1460:1:-1:1:1:SunOS 5.8 Sparc
+12288:255:1460:0:-1:0:0:BeOS 5.0
+31856:64:1460:1:0:1:1:Linux 2.3.99-ac
+32768:128:1460:1:0:0:1:Dec V4.0 OSF1
+16384:64:1460:0:-1:0:0:AIX 4.3-4.3.3
+61440:64:1460:0:-1:1:1:IRIX 6.5.10
+5840:64:1460:1:0:1:1:Linux 2.4.1-14
+44032:128:64059:1:-1:1:1:Windows 2000 SP2
+44032:128:1452:1:-1:1:1:Windows 2000 SP2
+16384:128:25275:1:-1:1:1:Windows 2000
 
diff -uNr p0f-1.7.ver2/p0f.init p0f-1.8/p0f.init
--- p0f-1.7.ver2/p0f.init	Wed Dec 31 19:00:00 1969
+++ p0f-1.8/p0f.init	Fri Nov 16 02:35:16 2001
@@ -0,0 +1,60 @@
+#!/bin/bash
+# p0f		This shell script takes care of starting and stopping
+#		the p0f monitoring program
+#
+# chkconfig: 2345 52 48
+# description: p0f - the p0f monitoring program. \
+# p0f performs passive OS fingerprinting technique bases on information coming \
+# from remote host when it establishes connection to our system. Captured \
+# packets contains enough information to determine OS - and, unlike \
+# active scanners (nmap, queSO) - without sending anything to this host.
+# processname: p0f
+# pidfile: /var/run/p0f.pid
+
+PATH=/usr/bin:/sbin:/bin:/usr/sbin
+export PATH
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+case "$1" in
+start)
+    echo -n "Starting p0f: "
+    rm -f /var/run/p0f.pid
+    nohup /usr/sbin/p0f -v >>/var/log/p0f 2>&1 &
+    echo $! >/var/run/p0f.pid
+    touch /var/lock/subsys/p0f
+    echo "done"
+    ;;
+
+stop)
+    if [ -f /var/run/p0f.pid ]; then
+        echo -n "Stopping p0f: "
+        kill -TERM `cat /var/run/p0f.pid`
+        rm -f /var/run/p0f.pid
+        rm -f /var/lock/subsys/p0f
+        echo "done"
+    fi
+    ;;
+
+restart)
+    $0 stop
+    $0 start
+    exit $?
+    ;;
+
+status)
+    status p0f
+    exit $?
+    ;;
+
+probe)
+    exit 0;
+    ;;
+
+*)
+    echo "Usage: $0 {start|stop|status|restart}"
+    exit 1
+esac
+
+exit 0
diff -uNr p0f-1.7.ver2/p0f.spec p0f-1.8/p0f.spec
--- p0f-1.7.ver2/p0f.spec	Wed Dec 31 19:00:00 1969
+++ p0f-1.8/p0f.spec	Fri Nov 16 02:41:24 2001
@@ -0,0 +1,89 @@
+%define version 1.8
+Name:				p0f
+Summary:			passive OS fingerprinting tool
+Version:			%{version}
+Release:			0
+Copyright:			GPL
+Packager:			William Stearns <wstearns@pobox.com>
+Group:				Applications/Networking
+Source:				http://lcamtuf.hack.pl/p0f.tgz
+#Source1:			p0f.init
+Prereq:				/sbin/chkconfig
+Vendor:				Michal Zalewski <lcamtuf@tpi.pl>
+URL:				http://lcamtuf.hack.pl/ and http://www.stearns.org/p0f/
+BuildRoot:			/tmp/p0f-broot
+
+
+%description
+p0f performs passive OS fingerprinting technique bases on information coming
+from remote host when it establishes connection to our system. Captured
+packets contains enough information to determine OS - and, unlike
+active scanners (nmap, queSO) - without sending anything to this host.
+
+
+%changelog
+* Fri Nov 16 2001 William Stearns <wstearns@pobox.com>
+- Updated to 1.8 test sources
+
+
+* Wed Aug 13 2000 William Stearns <wstearns@pobox.com>
+- first rpm from 1.7 sources.
+- addition of a SysV init file
+
+
+%prep
+%setup
+
+
+%build
+make all
+
+
+%install
+if [ "$RPM_BUILD_ROOT" = "/tmp/p0f-broot" ]; then
+    rm -rf $RPM_BUILD_ROOT
+
+	install -d $RPM_BUILD_ROOT/etc
+	install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
+	install -d $RPM_BUILD_ROOT/usr/sbin
+	cp -p p0f.fp $RPM_BUILD_ROOT/etc
+	cp -p p0f $RPM_BUILD_ROOT/usr/sbin
+	cp -p p0f.init $RPM_BUILD_ROOT/etc/rc.d/init.d/p0f
+else
+	echo Invalid Build root
+	exit 1
+fi
+
+						
+%clean
+if [ "$RPM_BUILD_ROOT" = "/tmp/p0f-broot" ]; then
+	rm -rf $RPM_BUILD_ROOT
+else
+	echo Invalid Build root
+	exit 1
+fi
+
+
+%files
+%defattr(-,root,root)
+							%doc	README COPYING
+%attr(644,root,root)				/etc/p0f.fp
+%attr(755,root,root)				/etc/rc.d/init.d/p0f
+%attr(755,root,root)				/usr/sbin/p0f
+
+
+%post
+if [ ! -f /var/log/p0f ]; then
+	touch /var/log/p0f
+	chown root.root /var/log/p0f
+	chmod 600 /var/log/p0f
+fi
+if [ "$1" = "1" ]; then         #This package is being installed for the first time
+	/sbin/chkconfig --add p0f
+fi
+
+
+%postun
+if [ "$1" = "0" ]; then		#This is being completely erased, not upgraded
+	/sbin/chkconfig --del p0f
+fi