Man Linux: Main Page and Category List

NAME

       p0f - identify remote systems passively

SYNOPSIS

       p0f p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket [
       -0 ] ] [ -w file ] [ -u user ] [ -c size ] [ -T  nn  ]  [  -e  nn  ]  [
       -FNODVUKAXMqxtpdlRL ] [ filter rule ]

DESCRIPTION

       p0f uses a fingerprinting technique based on analyzing the structure of
       a  TCP/IP  packet  to  determine  the  operating   system   and   other
       configuration  properties  of  a remote host. The process is completely
       passive and does not generate any suspicious network traffic. The other
       host has to either:

       -  connect  to  your  network  -  either spontaneously or in an induced
       manner, for example  when  trying  to  establish  a  ftp  data  stream,
       returning  a  bounced  mail,  performing  auth  lookup,  using IRC DCC,
       external html mail image reference and so on,

       - or be contacted by some entity on your network  using  some  standard
       means  (such  as  a  web  browsing); it can either accept or refuse the
       connection.

       The method can  see  thru  packet  firewalls  and  does  not  have  the
       restrictions  of  an active fingerprinting. The main uses of passive OS
       fingerprinting are attacker  profiling  (IDS  and  honeypots),  visitor
       profiling   (content  optimization),  customer/user  profiling  (policy
       enforcement), pen-testing, etc.

OPTIONS

       -f file
              read fingerprints from file; by default,  p0f  reads  signatures
              from  ./p0f.fp  or  /etc/p0f/p0f.fp  (the latter on Unix systems
              only). You  can  use  this  to  load  custom  fingerprint  data.
              Specifying multiple -f values will NOT combine several signature
              files together.

       -i device
              listen on this device; p0f defaults to whatever  device  libpcap
              considers  to be the best (and which often isn’t). On some newer
              systems you might be able to specify  ’any’  to  listen  on  all
              devices,  but  don’t rely on this. Specifying multiple -i values
              will NOT cause p0f to listen on several interfaces at once.

       -s file
              read packets from tcpdump snapshot; this is an alternate mode of
              operation,  in  which  p0f  reads  packet from pcap data capture
              file, instead of a live network. Useful for forensics (this will
              parse tcpdump -w output, for example).

              You  can  use  Ethereal’s  text2pcap  to  convert human-readable
              packet traces to pcap files, if needed.

       -w file
              writes matching packets to a tcpdump snapshot,  in  addition  to
              fingerprinting;  useful  when  it is advisable to save copies of
              the actual traffic for review.

       -o file
              write to this logfile.  This  option  is  required  for  -d  and
              implies -t.

       -Q socket
              listen  on a specified local stream socket (a filesystem object,
              for example /var/run/p0f-sock) for queries. One can later send a
              packet to this socket with p0f_query structure from p0f-query.h,
              and wait for p0f_response. This is a method of  integrating  p0f
              with  active services (web server or web scripts, etc). P0f will
              still continue to report signatures the usual way - but you  can
              use -qKU combination to suppress this. Also see -c notes.

              A   sample   query   tool   (p0fq)  is  provided  in  the  test/
              subdirectory. There is also a trivial perl implementation  of  a
              client available.

              NOTE:  The socket will be created with permissions corresponding
              to your current umask. If you want to restrict  access  to  this
              interface, use caution.

       -0     treat  source  port  0 in remote queries as a wildcard: find any
              record for that host. This is useful when developing plugins for
              programs  that  do  not  pass  source  port  information  to the
              subsystem that uses p0f queries; note that this introduces  some
              ambiguity,  and  the  returned  match might be not for the exact
              connection in question (-Q mode only).

       -e ms  packet capture window. On some systems  (particularly  on  older
              Suns),  the default pcap capture window of 1 ms is insufficient,
              and p0f may  get  no  packets.  In  such  a  case,  adjust  this
              parameter  to  the  smallest  value  that  results  in  reliable
              operation (note that this might introduce some latency to  p0f).
              -c  size  cache  size for -Q and -M options. The default is 128,
              which is sane for  a  system  under  a  moderate  network  load.
              Setting it too high will slow down p0f and may result in some -M
              false positives  for  dial-up  nodes,  dual-boot  systems,  etc.
              Setting it too low will result in cache misses for -Q option. To
              choose the right value, use the number of connections on average
              per  the interval of time you want to cache, then pass it to p0f
              with -c.

              P0f, when run without -q, also reports average packet  ratio  on
              exit.  You  can  use  this  to determine the optimal -c setting.
              This option has no effect if you do not use -Q nor -M.

       -u user
              this option forces p0f to chroot to this user’s  home  directory
              after reading configuration data and binding to sockets, then to
              switch to his UID, GID and supplementary groups.

              This is a security feature for the paranoid - when  running  p0f
              in daemon mode, you might want to create a new unprivileged user
              with an empty home directory, and limit the exposure when p0f is
              compromised.  That  said,  should  such  a compromise occur, the
              attacker will still have a socket he can use for  sniffing  some
              network traffic (better than rm -rf /).

       -N     inhibit  guesswork; do not report distances and link media. With
              this option, p0f logs only source IP and OS data.

       -F     deploy fuzzy matching algorithm if no precise matches are  found
              (currently  applies to TTL only). This option is not recommended
              for RST+ mode.

       -D     do not report OS details (just genre). This option is useful  if
              you don’t want p0f to elaborate on OS versions and such (combine
              with -N).

       -U     do not display unknown signatures. Use this option if  you  want
              to keep your log file clean and are not interested in hosts that
              are not recognized.

       -K     do not display known signatures. This option is useful when  you
              run  p0f  recreationally  and  want to spot UFOs, or in -Q or -M
              modes when combined with -U to inhibit all output.

       -q     be quiet - do not display banners and keep low profile.

       -p     switch card to promiscuous mode; by default, p0f listens only to
              packets  addressed  or  routed thru the machine it runs on. This
              setting might decrease performance, depending  on  your  network
              design  and  load. On switched networks, this usually has little
              or no effect.

              Note that promiscuous  mode  on  IP-enabled  interfaces  can  be
              detected  remotely,  and  is  sometimes  not  welcome by network
              administrators.

       -t     add human-readable timestamps to every entry (use multiple times
              to change date format, a la tcpdump).

       -d     go  into daemon mode (detach from current terminal and fork into
              background). Requires -o.

       -l     outputs data in line-per-record style (easier to grep).

       -A     a semi-supported option for SYN+ACK mode. This option will cause
              p0f to fingerprint systems you connect to, as opposed to systems
              that connect to you (default). With this option, p0f  will  look
              for  p0fa.fp  file instead of the usual p0f.fp. The usual config
              is NOT SUITABLE for this mode.

              The SYN+ACK signature database is sort of small at  the  moment,
              but suitable for many uses. Feel free to contribute.

       -R     a barely-supported option for RST+ mode. This option will prompt
              p0f to fingerprint several  different  types  of  traffic,  most
              importantly "connection refused" and "timeout" messages.

              This  mode  is  similar to SYN+ACK (-A), except that the program
              will now look for p0fr.fp. The usual config is NOT SUITABLE  for
              this  mode.  You  may  have to familiarize yourself with p0fr.fp
              before using it.

       -O     absolutely   experimental   open    connection    (stray    ACK)
              fingerprinting   mode.   In  this  mode,  p0f  will  attempt  to
              indiscriminately identify OS on all packets  within  an  already
              established connection.

              The   only   use  of  this  mode  is  to  perform  an  immediate
              fingerprinting of an existing  session.  Because  of  the  sheer
              amount  of  output,  you are advised against running p0f in this
              mode for extended periods of time.

              The program will use p0fo.fp  file  to  read  fingerprints.  The
              usual  config  is  NOT SUITABLE for this mode. Do not use unless
              you know what you are doing. NOTE: The p0fo.fp database is  very
              sparsely populated at the moment.

       -r     resolve  host  names;  this  mode  is MUCH slower and poses some
              security risk. Do not use except for  interactive  runs  or  low
              traffic  situations.  NOTE:  the option ONLY resolves IP address
              into a name, and  does  not  perform  any  checks  for  matching
              reverse  DNS. Hence, the name may be spoofed - do not rely on it
              without checking twice.

       -C     perform collision check on signatures prior to running. This  is
              an  essential  option  whenever  you  add  new signatures to .fp
              files, but is not necessary otherwise.

       -x     dump full packet contents; this option is not compatible with -l
              and is intended for debugging and packet comparison only.

       -X     display  packet  payload; rarely, control packets we examine may
              carry a payload. This is a bug for  the  default  (SYN)  and  -A
              (SYN+ACK)  modes,  but  is  (sometimes)  acceptable in -R (RST+)
              mode.

       -M     deploy masquerade detection algorithm. The algorithm looks  over
              recent  (cached)  hits  and  looks  for  indications of multiple
              systems being behind a single gateway. This is useful on routers
              and  such  to  detect  policy violations. Note that this mode is
              somewhat slower due to caching and lookups. Use with caution (or
              do not use at all) in modes other than default (SYN).

       -T nn  masquerade  detection  threshold;  only meaningful with -M, sets
              the threshold for masquerade reporting.

       -V     use  verbose  masquerade  detection   reporting.   This   option
              describes  the  status  of  all  indicators, not only an overall
              value.

       -v     enable support for 802.1Q VLAN tagged frames. Available on  some
              interfaces, on other, will result in BPF error.

FILTERS

       The  last  part,  ’filter  rule’,  is a bpf-style filter expression for
       incoming packets. It is very useful for excluding or including  certain
       networks,  hosts,  or specific packets, in the logfile. See man tcpdump
       for more information, few examples:

       ´src port ftp-data´

       ´not dst net 10.0.0.0 mask 255.0.0.0´

       ´dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )´

       You also can use a companion log report utility  for  p0f.  Simply  run
       ’p0frep’ for help.

SECURITY

       P0f,  due to its simplicity, is believed to be considerably secure than
       other software that is often being run  for  packet  capture  (tcpdump,
       Ettercap,  Ethereal, etc). Please follow the security guidelines posted
       in the documentation supplied with the package.

BUGS

       You need to consult the documentation for an up-to-date list of issues.

FILES

       /etc/p0f/p0f.fp /etc/p0f/p0fa.fp /etc/p0f/p0fr.fp /etc/p0f/p0fo.fp
              default fingerprint database files

AUTHOR

       p0f  was  written  by  Michal Zalewski <lcamtuf@coredump.cx>.  This man
       page was originally written by  William  Stearns  <wstearns@pobox.com>,
       then adopted for p0f v2 by Michal Zalewski.