p0f p0f [ -f file ] [ -i device ] [ -r file ] [ -o file ] [ -s socket ] [ -u user ] [ -S limit ] [ -t c,h ] [ -m c,h ] [ -pdL ] [ 'filter rule' ]
p0f uses a fingerprinting technique based on analyzing the structure of a TCP/IP packet to determine the operating system and other configuration properties of a remote host. The process is completely passive and does not generate any suspicious network traffic. The other host has to either:
- connect to your network - either spontaneously or in an induced manner, for example when trying to establish a ftp data stream, returning a bounced mail, performing auth lookup, using IRC DCC, external html mail image reference and so on,
- or be contacted by some entity on your network using some standard means (such as a web browsing); it can either accept or refuse the connection.
The method can see thru packet firewalls and does not have the restrictions of an active fingerprinting. The main uses of passive OS fingerprinting are attacker profiling (IDS and honeypots), visitor profiling (content optimization), customer/user profiling (policy enforcement), pen-testing, etc.
The last part, 'filter rule', is a bpf-style filter expression for incoming packets. It is very useful for excluding or including certain networks, hosts, or specific packets, in the logfile. See man tcpdump for more information, few examples:
'src port ftp-data'
'not dst net 10.0.0.0 mask 255.0.0.0'
'dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )'
p0f was written by Michal Zalewski <lcamtuf@coredump.cx>. This man page was originally written by William Stearns <wstearns@pobox.com>, then adopted for p0f v2 by Michal Zalewski, and p0f v3 by Pierre Chifflier.