identify remote systems passively
p0f p0f [ -f file ] [ -i device ] [ -r file ] [ -o file ] [ -s socket ] [ -u user ] [ -S limit ] [ -t c,h ] [ -m c,h ] [ -pdL ] [ 'filter rule' ]
p0f uses a fingerprinting technique based on analyzing the structure of a TCP/IP packet to determine the operating system and other configura‐ tion properties of a remote host. The process is completely passive and does not generate any suspicious network traffic. The other host has to either: - connect to your network - either spontaneously or in an induced man‐ ner, for example when trying to establish a ftp data stream, returning a bounced mail, performing auth lookup, using IRC DCC, external html mail image reference and so on, - or be contacted by some entity on your network using some standard means (such as a web browsing); it can either accept or refuse the con‐ nection. The method can see thru packet firewalls and does not have the restric‐ tions of an active fingerprinting. The main uses of passive OS finger‐ printing are attacker profiling (IDS and honeypots), visitor profiling (content optimization), customer/user profiling (policy enforcement), pen-testing, etc.
-f file read fingerprints from file; by default, p0f reads signatures from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems only). You can use this to load custom fingerprint data. Speci‐ fying multiple -f values will NOT combine several signature files together. -i device listen on this device; p0f defaults to whatever device libpcap considers to be the best (and which often isn't). On some newer systems you might be able to specify 'any' to listen on all de‐ vices, but don't rely on this. Specifying multiple -i values will NOT cause p0f to listen on several interfaces at once. -r file read packets from tcpdump snapshot; this is an alternate mode of operation, in which p0f reads packet from pcap data capture file, instead of a live network. Useful for forensics (this will parse tcpdump -w output, for example). You can use Ethereal's text2pcap to convert human-readable packet traces to pcap files, if needed. -o file write to this logfile. This option is required for -d and im‐ plies -t. -s socket listen on a specified local stream socket (a filesystem object, for example /var/run/p0f-sock) for queries. One can later send a packet to this socket with p0f_query structure from p0f-query.h, and wait for p0f_response. This is a method of integrating p0f with active services (web server or web scripts, etc). P0f will still continue to report signatures the usual way - but you can use -qKU combination to suppress this. Also see -c notes. A sample query tool (p0f-client) is provided in the tools/ sub‐ directory. NOTE: The socket will be created with permissions corresponding to your current umask. If you want to restrict access to this interface, use caution. -u user this option forces p0f to chroot to this user's home directory after reading configuration data and binding to sockets, then to switch to his UID, GID and supplementary groups. This is a security feature for the paranoid - when running p0f in daemon mode, you might want to create a new unprivileged user with an empty home directory, and limit the exposure when p0f is compromised. That said, should such a compromise occur, the at‐ tacker will still have a socket he can use for sniffing some network traffic (better than rm -rf /). -p switch card to promiscuous mode; by default, p0f listens only to packets addressed or routed thru the machine it runs on. This setting might decrease performance, depending on your network design and load. On switched networks, this usually has little or no effect. Note that promiscuous mode on IP-enabled interfaces can be de‐ tected remotely, and is sometimes not welcome by network admin‐ istrators. -d go into daemon mode (detach from current terminal and fork into background). Requires -o or -s. -L lists all available interfaces, then quits. Particularly useful on Windows, where the system-generated interface names are im‐ possible to memorize. -S limit Limit number of parallel API connections (default: 20) -t c,h Set connection / host cache age limits (default: 30s,120m) -m c,h Limit the number of active connections / hosts (default: 1000,10000)
The last part, 'filter rule', is a bpf-style filter expression for in‐ coming packets. It is very useful for excluding or including certain networks, hosts, or specific packets, in the logfile. See man tcpdump for more information, few examples: ´src port ftp-data´ ´not dst net 10.0.0.0 mask 255.0.0.0´ ´dst port 80 and ( src host 22.214.171.124 or src host 126.96.36.199 )´
You need to consult the documentation for an up-to-date list of issues.
/etc/p0f/p0f.fp default fingerprint database file
p0f was written by Michal Zalewski