1P0F(1) General Commands Manual P0F(1)
2
6 p0f - identify remote systems passively
7
9 p0f p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket [
10 -0 ] ] [ -w file ] [ -u user ] [ -c size ] [ -T nn ] [ -e nn ] [ -FNOD‐
11 VUKAXMqxtpdlRL ] [ 'filter rule' ]
12
14 p0f uses a fingerprinting technique based on analyzing the structure of
15 a TCP/IP packet to determine the operating system and other configura‐
16 tion properties of a remote host. The process is completely passive and
17 does not generate any suspicious network traffic. The other host has to
18 either:
19 - connect to your network - either spontaneously or in an induced man‐
21 ner, for example when trying to establish a ftp data stream, returning
22 a bounced mail, performing auth lookup, using IRC DCC, external html
23 mail image reference and so on,
24 - or be contacted by some entity on your network using some standard
26 means (such as a web browsing); it can either accept or refuse the con‐
27 nection.
28 The method can see thru packet firewalls and does not have the restric‐
30 tions of an active fingerprinting. The main uses of passive OS finger‐
31 printing are attacker profiling (IDS and honeypots), visitor profiling
32 (content optimization), customer/user profiling (policy enforcement),
33 pen-testing, etc.
34
36 -f file
37 read fingerprints from file; by default, p0f reads signatures
38 from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems
39 only). You can use this to load custom fingerprint data. Speci‐
40 fying multiple -f values will NOT combine several signature
41 files together.
42 -i device
44 listen on this device; p0f defaults to whatever device libpcap
45 considers to be the best (and which often isn't). On some newer
46 systems you might be able to specify 'any' to listen on all
47 devices, but don't rely on this. Specifying multiple -i values
48 will NOT cause p0f to listen on several interfaces at once.
49 -s file
51 read packets from tcpdump snapshot; this is an alternate mode of
52 operation, in which p0f reads packet from pcap data capture
53 file, instead of a live network. Useful for forensics (this will
54 parse tcpdump -w output, for example).
55 You can use Ethereal's text2pcap to convert human-readable
57 packet traces to pcap files, if needed.
58 -w file
60 writes matching packets to a tcpdump snapshot, in addition to
61 fingerprinting; useful when it is advisable to save copies of
62 the actual traffic for review.
63 -o file
65 write to this logfile. This option is required for -d and
66 implies -t.
67 -Q socket
69 listen on a specified local stream socket (a filesystem object,
70 for example /var/run/p0f-sock) for queries. One can later send a
71 packet to this socket with p0f_query structure from p0f-query.h,
72 and wait for p0f_response. This is a method of integrating p0f
73 with active services (web server or web scripts, etc). P0f will
74 still continue to report signatures the usual way - but you can
75 use -qKU combination to suppress this. Also see -c notes.
76 A sample query tool (p0fq) is provided in the test/ subdirec‐
78 tory. There is also a trivial perl implementation of a client
79 available.
80 NOTE: The socket will be created with permissions corresponding
82 to your current umask. If you want to restrict access to this
83 interface, use caution.
84 -0 treat source port 0 in remote queries as a wildcard: find any
86 record for that host. This is useful when developing plugins for
87 programs that do not pass source port information to the subsys‐
88 tem that uses p0f queries; note that this introduces some ambi‐
89 guity, and the returned match might be not for the exact connec‐
90 tion in question (-Q mode only).
91 -e ms packet capture window. On some systems (particularly on older
93 Suns), the default pcap capture window of 1 ms is insufficient,
94 and p0f may get no packets. In such a case, adjust this parame‐
95 ter to the smallest value that results in reliable operation
96 (note that this might introduce some latency to p0f). -c size
97 cache size for -Q and -M options. The default is 128, which is
98 sane for a system under a moderate network load. Setting it too
99 high will slow down p0f and may result in some -M false posi‐
100 tives for dial-up nodes, dual-boot systems, etc. Setting it too
101 low will result in cache misses for -Q option. To choose the
102 right value, use the number of connections on average per the
103 interval of time you want to cache, then pass it to p0f with -c.
104 P0f, when run without -q, also reports average packet ratio on
106 exit. You can use this to determine the optimal -c setting.
107 This option has no effect if you do not use -Q nor -M.
108 -u user
110 this option forces p0f to chroot to this user's home directory
111 after reading configuration data and binding to sockets, then to
112 switch to his UID, GID and supplementary groups.
113 This is a security feature for the paranoid - when running p0f
115 in daemon mode, you might want to create a new unprivileged user
116 with an empty home directory, and limit the exposure when p0f is
117 compromised. That said, should such a compromise occur, the
118 attacker will still have a socket he can use for sniffing some
119 network traffic (better than rm -rf /).
120 -N inhibit guesswork; do not report distances and link media. With
122 this option, p0f logs only source IP and OS data.
123 -F deploy fuzzy matching algorithm if no precise matches are found
125 (currently applies to TTL only). This option is not recommended
126 for RST+ mode.
127 -D do not report OS details (just genre). This option is useful if
129 you don't want p0f to elaborate on OS versions and such (combine
130 with -N).
131 -U do not display unknown signatures. Use this option if you want
133 to keep your log file clean and are not interested in hosts that
134 are not recognized.
135 -K do not display known signatures. This option is useful when you
137 run p0f recreationally and want to spot UFOs, or in -Q or -M
138 modes when combined with -U to inhibit all output.
139 -q be quiet - do not display banners and keep low profile.
141 -p switch card to promiscuous mode; by default, p0f listens only to
143 packets addressed or routed thru the machine it runs on. This
144 setting might decrease performance, depending on your network
145 design and load. On switched networks, this usually has little
146 or no effect.
147 Note that promiscuous mode on IP-enabled interfaces can be
149 detected remotely, and is sometimes not welcome by network
150 administrators.
151 -t add human-readable timestamps to every entry (use multiple times
153 to change date format, a la tcpdump).
154 -d go into daemon mode (detach from current terminal and fork into
156 background). Requires -o.
157 -l outputs data in line-per-record style (easier to grep).
159 -A a semi-supported option for SYN+ACK mode. This option will cause
161 p0f to fingerprint systems you connect to, as opposed to systems
162 that connect to you (default). With this option, p0f will look
163 for p0fa.fp file instead of the usual p0f.fp. The usual config
164 is NOT SUITABLE for this mode.
165 The SYN+ACK signature database is sort of small at the moment,
167 but suitable for many uses. Feel free to contribute.
168 -R a barely-supported option for RST+ mode. This option will prompt
170 p0f to fingerprint several different types of traffic, most
171 importantly "connection refused" and "timeout" messages.
172 This mode is similar to SYN+ACK (-A), except that the program
174 will now look for p0fr.fp. The usual config is NOT SUITABLE for
175 this mode. You may have to familiarize yourself with p0fr.fp
176 before using it.
177 -O absolutely experimental open connection (stray ACK) fingerprint‐
179 ing mode. In this mode, p0f will attempt to indiscriminately
180 identify OS on all packets within an already established connec‐
181 tion.
182 The only use of this mode is to perform an immediate finger‐
184 printing of an existing session. Because of the sheer amount of
185 output, you are advised against running p0f in this mode for
186 extended periods of time.
187 The program will use p0fo.fp file to read fingerprints. The
189 usual config is NOT SUITABLE for this mode. Do not use unless
190 you know what you are doing. NOTE: The p0fo.fp database is very
191 sparsely populated at the moment.
192 -r resolve host names; this mode is MUCH slower and poses some
194 security risk. Do not use except for interactive runs or low
195 traffic situations. NOTE: the option ONLY resolves IP address
196 into a name, and does not perform any checks for matching
197 reverse DNS. Hence, the name may be spoofed - do not rely on it
198 without checking twice.
199 -C perform collision check on signatures prior to running. This is
201 an essential option whenever you add new signatures to
202 -x dump full packet contents; this option is not compatible with -l
204 and is intended for debugging and packet comparison only.
205 -X display packet payload; rarely, control packets we examine may
207 carry a payload. This is a bug for the default (SYN) and -A
208 (SYN+ACK) modes, but is (sometimes) acceptable in -R (RST+)
209 mode.
210 -M deploy masquerade detection algorithm. The algorithm looks over
212 recent (cached) hits and looks for indications of multiple sys‐
213 tems being behind a single gateway. This is useful on routers
214 and such to detect policy violations. Note that this mode is
215 somewhat slower due to caching and lookups. Use with caution (or
216 do not use at all) in modes other than default (SYN).
217 -T nn masquerade detection threshold; only meaningful with -M, sets
219 the threshold for masquerade reporting.
220 -V use verbose masquerade detection reporting. This option
222 describes the status of all indicators, not only an overall
223 value.
224 -v enable support for 802.1Q VLAN tagged frames. Available on some
226 interfaces, on other, will result in BPF error.
227
229 The last part, 'filter rule', is a bpf-style filter expression for
230 incoming packets. It is very useful for excluding or including certain
231 networks, hosts, or specific packets, in the logfile. See man tcpdump
232 for more information, few examples:
233 ´src port ftp-data´
235 ´not dst net 10.0.0.0 mask 255.0.0.0´
237 ´dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )´
239 You also can use a companion log report utility for p0f. Simply run
241 'p0frep' for help.
242
244 P0f, due to its simplicity, is believed to be considerably secure than
245 other software that is often being run for packet capture (tcpdump,
246 Ettercap, Ethereal, etc). Please follow the security guidelines posted
247 in the documentation supplied with the package.
248
250 You need to consult the documentation for an up-to-date list of issues.
251
253 /etc/p0f/p0f.fp /etc/p0f/p0fa.fp /etc/p0f/p0fr.fp /etc/p0f/p0fo.fp
254 default fingerprint database files
255
257 p0f was written by Michal Zalewski <lcamtuf@coredump.cx>. This man
258 page was originally written by William Stearns <wstearns@pobox.com>,
259 then adopted for p0f v2 by Michal Zalewski.
260 P0F(1)