Many of our "nmap -O" scans of honeypots do not get 100% correct matches to the operating system being emulated, and in some cases the first match in the fuzzy scan isn't even the one that is being emulated. Compare the fingerprint that nmap spits out for the honeypot with the fingerprint in the nmap-os-db file to see what probes and responses are coming up different than expected. This might be an actual bug where Honeyd is dropping certain probes that it's supposed to reply to, or not populating part of the packet used in the fingerprinting.
PherricOxide
commented
12 years ago
Many of our "nmap -O" scans of honeypots do not get 100% correct matches to the operating system being emulated, and in some cases the first match in the fuzzy scan isn't even the one that is being emulated. Compare the fingerprint that nmap spits out for the honeypot with the fingerprint in the nmap-os-db file to see what probes and responses are coming up different than expected. This might be an actual bug where Honeyd is dropping certain probes that it's supposed to reply to, or not populating part of the packet used in the fingerprinting.