P0f

From NSMWiki
Jump to: navigation, search

Background

  • Official Site: http://lcamtuf.coredump.cx/p0f.shtml
  • 'p0f' is a passive network scanner, able to fingerprint an OS without ever sending a packet. See official site for more info.
  • 'p0f' version 2.0.8 released on 2006-09-06, adds more signatures, 'p0fping', and some bugfixes.


Usage

 Usage: p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ]
        [ -w file ] [ -Q sock [ -0 ] ] [ -u user ] [ -FXVNDUKASCMROqtpvdlrx ]
        [ -c size ] [ -T nn ] [ -e nn ] [ 'filter rule' ]
   -f file   - read fingerprints from file
   -i device - listen on this device
   -s file   - read packets from tcpdump snapshot
   -o file   - write to this logfile (implies -t)
   -w file   - save packets to tcpdump snapshot
   -u user   - chroot and setuid to this user
   -Q sock   - listen on local socket for queries
   -0        - make src port 0 a wildcard (in query mode)
   -e ms     - pcap capture timeout in milliseconds (default: 1)
   -c size   - cache size for -Q and -M options
   -M        - run masquerade detection
   -T nn     - set masquerade detection threshold (1-200)
   -V        - verbose masquerade flags reporting
   -F        - use fuzzy matching (do not combine with -R)
   -N        - do not report distances and link media
   -D        - do not report OS details (just genre)
   -U        - do not display unknown signatures
   -K        - do not display known signatures (for tests)
   -S        - report signatures even for known systems
   -A        - go into SYN+ACK mode (semi-supported)
   -R        - go into RST/RST+ACK mode (semi-supported)
   -O        - go into stray ACK mode (barely supported)
   -r        - resolve host names (not recommended)
   -q        - be quiet - no banner
   -v        - enable support for 802.1Q VLAN frames
   -p        - switch card to promiscuous mode
   -d        - daemon mode (fork into background)
   -l        - use single-line output (easier to grep)
   -x        - include full packet dump (for debugging)
   -X        - display payload string (useful in RST mode)
   -C        - run signature collision check
   -t        - add timestamps to every entry

   'Filter rule' is an optional pcap-style BPF expression (man tcpdump).


Various p0f related links