NAME¶
p0f - identify remote systems passively
SYNOPSIS¶
p0f p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket
[ -0 ] ] [ -w file ] [ -u user ] [ -c size ] [ -T nn ] [ -e nn ] [
-FNODVUKAXMqxtpdlRL ] [ 'filter rule' ]
DESCRIPTION¶
p0f uses a fingerprinting technique based on analyzing the structure of a
TCP/IP packet to determine the operating system and other configuration
properties of a remote host. The process is completely passive and does not
generate any suspicious network traffic. The other host has to either:
- connect to your network - either spontaneously or in an induced manner, for
example when trying to establish a ftp data stream, returning a bounced mail,
performing auth lookup, using IRC DCC, external html mail image reference and
so on,
- or be contacted by some entity on your network using some standard means (such
as a web browsing); it can either accept or refuse the connection.
The method can see thru packet firewalls and does not have the restrictions of
an active fingerprinting. The main uses of passive OS fingerprinting are
attacker profiling (IDS and honeypots), visitor profiling (content
optimization), customer/user profiling (policy enforcement), pen-testing, etc.
OPTIONS¶
- -f file
- read fingerprints from file; by default, p0f reads
signatures from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems
only). You can use this to load custom fingerprint data. Specifying
multiple -f values will NOT combine several signature files together.
- -i device
- listen on this device; p0f defaults to whatever device
libpcap considers to be the best (and which often isn't). On some newer
systems you might be able to specify 'any' to listen on all devices, but
don't rely on this. Specifying multiple -i values will NOT cause p0f to
listen on several interfaces at once.
- -s file
- read packets from tcpdump snapshot; this is an alternate
mode of operation, in which p0f reads packet from pcap data capture file,
instead of a live network. Useful for forensics (this will parse tcpdump
-w output, for example).
You can use Ethereal's text2pcap to convert human-readable packet traces to
pcap files, if needed.
- -w file
- writes matching packets to a tcpdump snapshot, in addition
to fingerprinting; useful when it is advisable to save copies of the
actual traffic for review.
- -o file
- write to this logfile. This option is required for -d and
implies -t.
- -Q socket
- listen on a specified local stream socket (a filesystem
object, for example /var/run/p0f-sock) for queries. One can later send a
packet to this socket with p0f_query structure from p0f-query.h, and wait
for p0f_response. This is a method of integrating p0f with active services
(web server or web scripts, etc). P0f will still continue to report
signatures the usual way - but you can use -qKU combination to suppress
this. Also see -c notes.
A sample query tool (p0fq) is provided in the test/ subdirectory. There is
also a trivial perl implementation of a client available.
NOTE: The socket will be created with permissions corresponding to your
current umask. If you want to restrict access to this interface, use
caution.
- -0
- treat source port 0 in remote queries as a wildcard: find
any record for that host. This is useful when developing plugins for
programs that do not pass source port information to the subsystem that
uses p0f queries; note that this introduces some ambiguity, and the
returned match might be not for the exact connection in question (-Q mode
only).
- -e ms
- packet capture window. On some systems (particularly on
older Suns), the default pcap capture window of 1 ms is insufficient, and
p0f may get no packets. In such a case, adjust this parameter to the
smallest value that results in reliable operation (note that this might
introduce some latency to p0f). -c size cache size for -Q and -M
options. The default is 128, which is sane for a system under a moderate
network load. Setting it too high will slow down p0f and may result in
some -M false positives for dial-up nodes, dual-boot systems, etc. Setting
it too low will result in cache misses for -Q option. To choose the right
value, use the number of connections on average per the interval of time
you want to cache, then pass it to p0f with -c.
P0f, when run without -q, also reports average packet ratio on exit. You can
use this to determine the optimal -c setting. This option has no effect if
you do not use -Q nor -M.
- -u user
- this option forces p0f to chroot to this user's home
directory after reading configuration data and binding to sockets, then to
switch to his UID, GID and supplementary groups.
This is a security feature for the paranoid - when running p0f in daemon
mode, you might want to create a new unprivileged user with an empty home
directory, and limit the exposure when p0f is compromised. That said,
should such a compromise occur, the attacker will still have a socket he
can use for sniffing some network traffic (better than rm -rf /).
- -N
- inhibit guesswork; do not report distances and link media.
With this option, p0f logs only source IP and OS data.
- -F
- deploy fuzzy matching algorithm if no precise matches are
found (currently applies to TTL only). This option is not recommended for
RST+ mode.
- -D
- do not report OS details (just genre). This option is
useful if you don't want p0f to elaborate on OS versions and such (combine
with -N).
- -U
- do not display unknown signatures. Use this option if you
want to keep your log file clean and are not interested in hosts that are
not recognized.
- -K
- do not display known signatures. This option is useful when
you run p0f recreationally and want to spot UFOs, or in -Q or -M modes
when combined with -U to inhibit all output.
- -q
- be quiet - do not display banners and keep low
profile.
- -p
- switch card to promiscuous mode; by default, p0f listens
only to packets addressed or routed thru the machine it runs on. This
setting might decrease performance, depending on your network design and
load. On switched networks, this usually has little or no effect.
Note that promiscuous mode on IP-enabled interfaces can be detected
remotely, and is sometimes not welcome by network administrators.
- -t
- add human-readable timestamps to every entry (use multiple
times to change date format, a la tcpdump).
- -d
- go into daemon mode (detach from current terminal and fork
into background). Requires -o.
- -l
- outputs data in line-per-record style (easier to
grep).
- -A
- a semi-supported option for SYN+ACK mode. This option will
cause p0f to fingerprint systems you connect to, as opposed to systems
that connect to you (default). With this option, p0f will look for p0fa.fp
file instead of the usual p0f.fp. The usual config is NOT SUITABLE for
this mode.
The SYN+ACK signature database is sort of small at the moment, but suitable
for many uses. Feel free to contribute.
- -R
- a barely-supported option for RST+ mode. This option will
prompt p0f to fingerprint several different types of traffic, most
importantly "connection refused" and "timeout"
messages.
This mode is similar to SYN+ACK (-A), except that the program will now look
for p0fr.fp. The usual config is NOT SUITABLE for this mode. You may have
to familiarize yourself with p0fr.fp before using it.
- -O
- absolutely experimental open connection (stray ACK)
fingerprinting mode. In this mode, p0f will attempt to indiscriminately
identify OS on all packets within an already established connection.
The only use of this mode is to perform an immediate fingerprinting of an
existing session. Because of the sheer amount of output, you are advised
against running p0f in this mode for extended periods of time.
The program will use p0fo.fp file to read fingerprints. The usual config is
NOT SUITABLE for this mode. Do not use unless you know what you are doing.
NOTE: The p0fo.fp database is very sparsely populated at the moment.
- -r
- resolve host names; this mode is MUCH slower and poses some
security risk. Do not use except for interactive runs or low traffic
situations. NOTE: the option ONLY resolves IP address into a name, and
does not perform any checks for matching reverse DNS. Hence, the name may
be spoofed - do not rely on it without checking twice.
- -C
- perform collision check on signatures prior to running.
This is an essential option whenever you add new signatures to .fp files,
but is not necessary otherwise.
- -x
- dump full packet contents; this option is not compatible
with -l and is intended for debugging and packet comparison only.
- -X
- display packet payload; rarely, control packets we examine
may carry a payload. This is a bug for the default (SYN) and -A (SYN+ACK)
modes, but is (sometimes) acceptable in -R (RST+) mode.
- -M
- deploy masquerade detection algorithm. The algorithm looks
over recent (cached) hits and looks for indications of multiple systems
being behind a single gateway. This is useful on routers and such to
detect policy violations. Note that this mode is somewhat slower due to
caching and lookups. Use with caution (or do not use at all) in modes
other than default (SYN).
- -T nn
- masquerade detection threshold; only meaningful with -M,
sets the threshold for masquerade reporting.
- -V
- use verbose masquerade detection reporting. This option
describes the status of all indicators, not only an overall value.
- -v
- enable support for 802.1Q VLAN tagged frames. Available on
some interfaces, on other, will result in BPF error.
FILTERS¶
The last part, 'filter rule', is a bpf-style filter expression for incoming
packets. It is very useful for excluding or including certain networks, hosts,
or specific packets, in the logfile. See man tcpdump for more information, few
examples:
´src port ftp-data´
´not dst net 10.0.0.0 mask 255.0.0.0´
´dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )´
You also can use a companion log report utility for p0f. Simply run 'p0frep' for
help.
SECURITY¶
P0f, due to its simplicity, is believed to be considerably secure than other
software that is often being run for packet capture (tcpdump, Ettercap,
Ethereal, etc). Please follow the security guidelines posted in the
documentation supplied with the package.
BUGS¶
You need to consult the documentation for an up-to-date list of issues.
FILES¶
- /etc/p0f/p0f.fp /etc/p0f/p0fa.fp /etc/p0f/p0fr.fp /etc/p0f/p0fo.fp
- default fingerprint database files
AUTHOR¶
p0f was written by Michal Zalewski <lcamtuf@coredump.cx>. This man
page was originally written by William Stearns <wstearns@pobox.com>,
then adopted for p0f v2 by Michal Zalewski.