Provided by: p0f_2.0.8-2_amd64 bug

NAME

       p0f - identify remote systems passively

SYNOPSIS

       p0f p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket [ -0 ] ] [ -w file ]
       [ -u user ] [ -c size ] [ -T nn ] [ -e nn ] [ -FNODVUKAXMqxtpdlRL ] [ 'filter rule' ]

DESCRIPTION

       p0f uses a fingerprinting technique based on analyzing the structure of a TCP/IP packet to
       determine  the  operating  system and other configuration properties of a remote host. The
       process is completely passive and does not generate any suspicious  network  traffic.  The
       other host has to either:

       - connect to your network - either spontaneously or in an induced manner, for example when
       trying to establish a ftp data stream, returning a bounced mail, performing  auth  lookup,
       using IRC DCC, external html mail image reference and so on,

       -  or be contacted by some entity on your network using some standard means (such as a web
       browsing); it can either accept or refuse the connection.

       The method can see thru packet firewalls and does not have the restrictions of  an  active
       fingerprinting. The main uses of passive OS fingerprinting are attacker profiling (IDS and
       honeypots), visitor profiling  (content  optimization),  customer/user  profiling  (policy
       enforcement), pen-testing, etc.

OPTIONS

       -f file
              read  fingerprints  from  file;  by  default, p0f reads signatures from ./p0f.fp or
              /etc/p0f/p0f.fp (the latter on Unix systems only). You can use this to load  custom
              fingerprint data.  Specifying multiple -f values will NOT combine several signature
              files together.

       -i device
              listen on this device; p0f defaults to whatever device libpcap considers to be  the
              best  (and  which  often isn't). On some newer systems you might be able to specify
              'any' to listen on all devices, but don't rely  on  this.  Specifying  multiple  -i
              values will NOT cause p0f to listen on several interfaces at once.

       -s file
              read  packets  from  tcpdump  snapshot;  this is an alternate mode of operation, in
              which p0f reads packet from pcap data capture file,  instead  of  a  live  network.
              Useful for forensics (this will parse tcpdump -w output, for example).

              You  can  use  Ethereal's text2pcap to convert human-readable packet traces to pcap
              files, if needed.

       -w file
              writes matching packets to a  tcpdump  snapshot,  in  addition  to  fingerprinting;
              useful when it is advisable to save copies of the actual traffic for review.

       -o file
              write to this logfile. This option is required for -d and implies -t.

       -Q socket
              listen  on  a  specified  local  stream  socket  (a  filesystem object, for example
              /var/run/p0f-sock) for queries. One can later send a packet  to  this  socket  with
              p0f_query  structure  from p0f-query.h, and wait for p0f_response. This is a method
              of integrating p0f with active services (web server or web scripts, etc). P0f  will
              still  continue  to  report  signatures  the  usual  way  -  but  you  can use -qKU
              combination to suppress this. Also see -c notes.

              A sample query tool (p0fq) is provided in the test/ subdirectory. There is  also  a
              trivial perl implementation of a client available.

              NOTE:  The  socket  will  be created with permissions corresponding to your current
              umask. If you want to restrict access to this interface, use caution.

       -0     treat source port 0 in remote queries as a wildcard: find any record for that host.
              This  is  useful  when developing plugins for programs that do not pass source port
              information to the subsystem that uses p0f queries; note that this introduces  some
              ambiguity, and the returned match might be not for the exact connection in question
              (-Q mode only).

       -e ms  packet capture window. On some systems (particularly on older  Suns),  the  default
              pcap  capture window of 1 ms is insufficient, and p0f may get no packets. In such a
              case, adjust this  parameter  to  the  smallest  value  that  results  in  reliable
              operation (note that this might introduce some latency to p0f).  -c size cache size
              for -Q and -M options. The default is 128, which is  sane  for  a  system  under  a
              moderate  network  load.  Setting  it too high will slow down p0f and may result in
              some -M false positives for dial-up nodes, dual-boot systems, etc. Setting  it  too
              low  will  result in cache misses for -Q option. To choose the right value, use the
              number of connections on average per the interval of time you want to  cache,  then
              pass it to p0f with -c.

              P0f,  when  run  without -q, also reports average packet ratio on exit. You can use
              this to determine the optimal -c setting.  This option has no effect if you do  not
              use -Q nor -M.

       -u user
              this  option  forces  p0f  to  chroot  to  this user's home directory after reading
              configuration data and binding to sockets, then to  switch  to  his  UID,  GID  and
              supplementary groups.

              This  is a security feature for the paranoid - when running p0f in daemon mode, you
              might want to create a new unprivileged user with  an  empty  home  directory,  and
              limit  the  exposure  when  p0f is compromised. That said, should such a compromise
              occur, the attacker will still have a socket he can use for sniffing  some  network
              traffic (better than rm -rf /).

       -N     inhibit  guesswork;  do  not report distances and link media. With this option, p0f
              logs only source IP and OS data.

       -F     deploy fuzzy matching algorithm if no precise matches are found (currently  applies
              to TTL only). This option is not recommended for RST+ mode.

       -D     do  not report OS details (just genre). This option is useful if you don't want p0f
              to elaborate on OS versions and such (combine with -N).

       -U     do not display unknown signatures. Use this option if you want  to  keep  your  log
              file clean and are not interested in hosts that are not recognized.

       -K     do  not  display  known  signatures.  This  option  is  useful  when  you  run  p0f
              recreationally and want to spot UFOs, or in -Q or -M modes when combined with -U to
              inhibit all output.

       -q     be quiet - do not display banners and keep low profile.

       -p     switch  card to promiscuous mode; by default, p0f listens only to packets addressed
              or routed thru the machine it runs on. This  setting  might  decrease  performance,
              depending  on  your network design and load. On switched networks, this usually has
              little or no effect.

              Note that promiscuous mode on IP-enabled interfaces can be detected  remotely,  and
              is sometimes not welcome by network administrators.

       -t     add  human-readable  timestamps  to  every entry (use multiple times to change date
              format, a la tcpdump).

       -d     go into daemon mode (detach  from  current  terminal  and  fork  into  background).
              Requires -o.

       -l     outputs data in line-per-record style (easier to grep).

       -A     a semi-supported option for SYN+ACK mode. This option will cause p0f to fingerprint
              systems you connect to, as opposed to systems that connect to you  (default).  With
              this  option, p0f will look for p0fa.fp file instead of the usual p0f.fp. The usual
              config is NOT SUITABLE for this mode.

              The SYN+ACK signature database is sort of small at the  moment,  but  suitable  for
              many uses. Feel free to contribute.

       -R     a barely-supported option for RST+ mode. This option will prompt p0f to fingerprint
              several different types of  traffic,  most  importantly  "connection  refused"  and
              "timeout" messages.

              This  mode  is  similar  to SYN+ACK (-A), except that the program will now look for
              p0fr.fp. The usual  config  is  NOT  SUITABLE  for  this  mode.  You  may  have  to
              familiarize yourself with p0fr.fp before using it.

       -O     absolutely  experimental  open  connection (stray ACK) fingerprinting mode. In this
              mode, p0f will attempt to indiscriminately identify OS on  all  packets  within  an
              already established connection.

              The  only use of this mode is to perform an immediate fingerprinting of an existing
              session. Because of the sheer amount of output, you are advised against running p0f
              in this mode for extended periods of time.

              The  program  will  use  p0fo.fp file to read fingerprints. The usual config is NOT
              SUITABLE for this mode. Do not use unless you know what you are  doing.  NOTE:  The
              p0fo.fp database is very sparsely populated at the moment.

       -r     resolve  host  names; this mode is MUCH slower and poses some security risk. Do not
              use except for interactive runs or low traffic situations. NOTE:  the  option  ONLY
              resolves  IP  address  into  a  name,  and does not perform any checks for matching
              reverse DNS. Hence, the name may be spoofed - do not rely on  it  without  checking
              twice.

       -C     perform collision check on signatures prior to running. This is an essential option
              whenever you add new signatures to .fp files, but is not necessary otherwise.

       -x     dump full packet contents; this option is not compatible with -l  and  is  intended
              for debugging and packet comparison only.

       -X     display  packet  payload;  rarely,  control packets we examine may carry a payload.
              This is a bug for the default (SYN) and -A  (SYN+ACK)  modes,  but  is  (sometimes)
              acceptable in -R (RST+) mode.

       -M     deploy  masquerade  detection  algorithm.  The algorithm looks over recent (cached)
              hits and looks for indications of multiple systems being behind a  single  gateway.
              This is useful on routers and such to detect policy violations. Note that this mode
              is somewhat slower due to caching and lookups. Use with caution (or do not  use  at
              all) in modes other than default (SYN).

       -T nn  masquerade  detection  threshold;  only  meaningful with -M, sets the threshold for
              masquerade reporting.

       -V     use verbose masquerade detection reporting. This option describes the status of all
              indicators, not only an overall value.

       -v     enable  support  for  802.1Q  VLAN  tagged frames. Available on some interfaces, on
              other, will result in BPF error.

FILTERS

       The last part, 'filter rule', is a bpf-style filter expression for incoming packets. It is
       very  useful  for  excluding or including certain networks, hosts, or specific packets, in
       the logfile. See man tcpdump for more information, few examples:

       ´src port ftp-data´

       ´not dst net 10.0.0.0 mask 255.0.0.0´

       ´dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )´

       You also can use a companion log report utility for p0f. Simply run 'p0frep' for help.

SECURITY

       P0f, due to its simplicity, is believed to be considerably secure than other software that
       is  often  being  run for packet capture (tcpdump, Ettercap, Ethereal, etc). Please follow
       the security guidelines posted in the documentation supplied with the package.

BUGS

       You need to consult the documentation for an up-to-date list of issues.

FILES

       /etc/p0f/p0f.fp /etc/p0f/p0fa.fp /etc/p0f/p0fr.fp /etc/p0f/p0fo.fp
              default fingerprint database files

AUTHOR

       p0f was written by Michal Zalewski <lcamtuf@coredump.cx>.  This man  page  was  originally
       written  by  William  Stearns  <wstearns@pobox.com>,  then  adopted  for  p0f v2 by Michal
       Zalewski.

                                                                                           P0F(1)