xenial (1) p0f.1.gz

Provided by: p0f_2.0.8-2_amd64 bug

NAME

       p0f - identify remote systems passively

SYNOPSIS

       p0f  p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket [ -0 ] ] [ -w file ] [ -u user ] [
       -c size ] [ -T nn ] [ -e nn ] [ -FNODVUKAXMqxtpdlRL ] [ 'filter rule' ]

DESCRIPTION

       p0f uses a fingerprinting technique based on analyzing the structure of a TCP/IP packet to determine  the
       operating  system  and other configuration properties of a remote host. The process is completely passive
       and does not generate any suspicious network traffic. The other host has to either:

       - connect to your network - either spontaneously or in an induced manner,  for  example  when  trying  to
       establish  a  ftp  data stream, returning a bounced mail, performing auth lookup, using IRC DCC, external
       html mail image reference and so on,

       - or be contacted by some entity on your network using some standard means (such as a web  browsing);  it
       can either accept or refuse the connection.

       The  method can see thru packet firewalls and does not have the restrictions of an active fingerprinting.
       The main uses of passive OS fingerprinting are attacker profiling (IDS and honeypots), visitor  profiling
       (content optimization), customer/user profiling (policy enforcement), pen-testing, etc.

OPTIONS

       -f file
              read  fingerprints  from  file;  by default, p0f reads signatures from ./p0f.fp or /etc/p0f/p0f.fp
              (the latter on Unix systems only). You can use this to load custom fingerprint  data.   Specifying
              multiple -f values will NOT combine several signature files together.

       -i device
              listen on this device; p0f defaults to whatever device libpcap considers to be the best (and which
              often isn't). On some newer systems you might be able to specify 'any' to listen on  all  devices,
              but  don't  rely  on  this.  Specifying multiple -i values will NOT cause p0f to listen on several
              interfaces at once.

       -s file
              read packets from tcpdump snapshot; this is an alternate mode of operation,  in  which  p0f  reads
              packet  from  pcap  data  capture file, instead of a live network. Useful for forensics (this will
              parse tcpdump -w output, for example).

              You can use Ethereal's text2pcap to convert human-readable packet traces to pcap files, if needed.

       -w file
              writes matching packets to a tcpdump snapshot, in addition to fingerprinting; useful  when  it  is
              advisable to save copies of the actual traffic for review.

       -o file
              write to this logfile. This option is required for -d and implies -t.

       -Q socket
              listen on a specified local stream socket (a filesystem object, for example /var/run/p0f-sock) for
              queries. One can later send a packet to this socket with p0f_query structure from p0f-query.h, and
              wait for p0f_response. This is a method of integrating p0f with active services (web server or web
              scripts, etc). P0f will still continue to report signatures the usual way - but you can  use  -qKU
              combination to suppress this. Also see -c notes.

              A  sample  query  tool  (p0fq) is provided in the test/ subdirectory. There is also a trivial perl
              implementation of a client available.

              NOTE: The socket will be created with permissions corresponding to your current umask. If you want
              to restrict access to this interface, use caution.

       -0     treat source port 0 in remote queries as a wildcard: find any record for that host. This is useful
              when developing plugins for programs that do not pass source port  information  to  the  subsystem
              that  uses  p0f queries; note that this introduces some ambiguity, and the returned match might be
              not for the exact connection in question (-Q mode only).

       -e ms  packet capture window. On some systems (particularly on older  Suns),  the  default  pcap  capture
              window  of 1 ms is insufficient, and p0f may get no packets. In such a case, adjust this parameter
              to the smallest value that results in reliable operation (note  that  this  might  introduce  some
              latency  to p0f).  -c size cache size for -Q and -M options. The default is 128, which is sane for
              a system under a moderate network load. Setting it too high will slow down p0f and may  result  in
              some  -M false positives for dial-up nodes, dual-boot systems, etc. Setting it too low will result
              in cache misses for -Q option. To choose the right value, use the number of connections on average
              per the interval of time you want to cache, then pass it to p0f with -c.

              P0f, when run without -q, also reports average packet ratio on exit. You can use this to determine
              the optimal -c setting.  This option has no effect if you do not use -Q nor -M.

       -u user
              this option forces p0f to chroot to this user's home directory after  reading  configuration  data
              and binding to sockets, then to switch to his UID, GID and supplementary groups.

              This  is  a security feature for the paranoid - when running p0f in daemon mode, you might want to
              create a new unprivileged user with an empty home directory, and limit the exposure  when  p0f  is
              compromised.  That  said, should such a compromise occur, the attacker will still have a socket he
              can use for sniffing some network traffic (better than rm -rf /).

       -N     inhibit guesswork; do not report distances and link media. With this option, p0f logs only  source
              IP and OS data.

       -F     deploy  fuzzy  matching algorithm if no precise matches are found (currently applies to TTL only).
              This option is not recommended for RST+ mode.

       -D     do not report OS details (just genre). This option is useful if you don't want p0f to elaborate on
              OS versions and such (combine with -N).

       -U     do not display unknown signatures. Use this option if you want to keep your log file clean and are
              not interested in hosts that are not recognized.

       -K     do not display known signatures. This option is useful when you run p0f recreationally and want to
              spot UFOs, or in -Q or -M modes when combined with -U to inhibit all output.

       -q     be quiet - do not display banners and keep low profile.

       -p     switch  card to promiscuous mode; by default, p0f listens only to packets addressed or routed thru
              the machine it runs on. This setting might decrease performance, depending on your network  design
              and load. On switched networks, this usually has little or no effect.

              Note that promiscuous mode on IP-enabled interfaces can be detected remotely, and is sometimes not
              welcome by network administrators.

       -t     add human-readable timestamps to every entry (use multiple times  to  change  date  format,  a  la
              tcpdump).

       -d     go into daemon mode (detach from current terminal and fork into background). Requires -o.

       -l     outputs data in line-per-record style (easier to grep).

       -A     a  semi-supported  option  for SYN+ACK mode. This option will cause p0f to fingerprint systems you
              connect to, as opposed to systems that connect to you (default). With this option, p0f  will  look
              for p0fa.fp file instead of the usual p0f.fp. The usual config is NOT SUITABLE for this mode.

              The  SYN+ACK  signature  database is sort of small at the moment, but suitable for many uses. Feel
              free to contribute.

       -R     a barely-supported option for RST+ mode. This  option  will  prompt  p0f  to  fingerprint  several
              different types of traffic, most importantly "connection refused" and "timeout" messages.

              This mode is similar to SYN+ACK (-A), except that the program will now look for p0fr.fp. The usual
              config is NOT SUITABLE for this mode. You may have to familiarize  yourself  with  p0fr.fp  before
              using it.

       -O     absolutely  experimental  open  connection (stray ACK) fingerprinting mode. In this mode, p0f will
              attempt to indiscriminately identify OS on all packets within an already established connection.

              The only use of this mode is to perform  an  immediate  fingerprinting  of  an  existing  session.
              Because  of  the  sheer  amount  of  output,  you are advised against running p0f in this mode for
              extended periods of time.

              The program will use p0fo.fp file to read fingerprints. The usual config is NOT SUITABLE for  this
              mode.  Do  not use unless you know what you are doing. NOTE: The p0fo.fp database is very sparsely
              populated at the moment.

       -r     resolve host names; this mode is MUCH slower and poses some security risk. Do not use  except  for
              interactive runs or low traffic situations. NOTE: the option ONLY resolves IP address into a name,
              and does not perform any checks for matching reverse DNS. Hence, the name may be spoofed - do  not
              rely on it without checking twice.

       -C     perform  collision  check on signatures prior to running. This is an essential option whenever you
              add new signatures to .fp files, but is not necessary otherwise.

       -x     dump full packet contents; this option is not compatible with -l and is intended for debugging and
              packet comparison only.

       -X     display  packet payload; rarely, control packets we examine may carry a payload. This is a bug for
              the default (SYN) and -A (SYN+ACK) modes, but is (sometimes) acceptable in -R (RST+) mode.

       -M     deploy masquerade detection algorithm. The algorithm looks over recent (cached) hits and looks for
              indications  of multiple systems being behind a single gateway. This is useful on routers and such
              to detect policy violations. Note that this mode is somewhat slower due to  caching  and  lookups.
              Use with caution (or do not use at all) in modes other than default (SYN).

       -T nn  masquerade  detection  threshold;  only  meaningful  with  -M,  sets  the threshold for masquerade
              reporting.

       -V     use verbose masquerade detection reporting. This option describes the status  of  all  indicators,
              not only an overall value.

       -v     enable  support for 802.1Q VLAN tagged frames. Available on some interfaces, on other, will result
              in BPF error.

FILTERS

       The last part, 'filter rule', is a bpf-style filter expression for incoming packets. It  is  very  useful
       for  excluding or including certain networks, hosts, or specific packets, in the logfile. See man tcpdump
       for more information, few examples:

       ´src port ftp-data´

       ´not dst net 10.0.0.0 mask 255.0.0.0´

       ´dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )´

       You also can use a companion log report utility for p0f. Simply run 'p0frep' for help.

SECURITY

       P0f, due to its simplicity, is believed to be considerably secure than other software that is often being
       run  for  packet capture (tcpdump, Ettercap, Ethereal, etc). Please follow the security guidelines posted
       in the documentation supplied with the package.

BUGS

       You need to consult the documentation for an up-to-date list of issues.

FILES

       /etc/p0f/p0f.fp /etc/p0f/p0fa.fp /etc/p0f/p0fr.fp /etc/p0f/p0fo.fp
              default fingerprint database files

AUTHOR

       p0f was written by Michal Zalewski <lcamtuf@coredump.cx>.   This  man  page  was  originally  written  by
       William Stearns <wstearns@pobox.com>, then adopted for p0f v2 by Michal Zalewski.

                                                                                                          P0F(1)