P0f
From NSMWiki
Background
- Official Site: http://lcamtuf.coredump.cx/p0f.shtml
- 'p0f' is a passive network scanner, able to fingerprint an OS without ever sending a packet. See official site for more info.
- 'p0f' version 2.0.8 released on 2006-09-06, adds more signatures, 'p0fping', and some bugfixes.
Usage
Usage: p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ]
[ -w file ] [ -Q sock [ -0 ] ] [ -u user ] [ -FXVNDUKASCMROqtpvdlrx ]
[ -c size ] [ -T nn ] [ -e nn ] [ 'filter rule' ]
-f file - read fingerprints from file
-i device - listen on this device
-s file - read packets from tcpdump snapshot
-o file - write to this logfile (implies -t)
-w file - save packets to tcpdump snapshot
-u user - chroot and setuid to this user
-Q sock - listen on local socket for queries
-0 - make src port 0 a wildcard (in query mode)
-e ms - pcap capture timeout in milliseconds (default: 1)
-c size - cache size for -Q and -M options
-M - run masquerade detection
-T nn - set masquerade detection threshold (1-200)
-V - verbose masquerade flags reporting
-F - use fuzzy matching (do not combine with -R)
-N - do not report distances and link media
-D - do not report OS details (just genre)
-U - do not display unknown signatures
-K - do not display known signatures (for tests)
-S - report signatures even for known systems
-A - go into SYN+ACK mode (semi-supported)
-R - go into RST/RST+ACK mode (semi-supported)
-O - go into stray ACK mode (barely supported)
-r - resolve host names (not recommended)
-q - be quiet - no banner
-v - enable support for 802.1Q VLAN frames
-p - switch card to promiscuous mode
-d - daemon mode (fork into background)
-l - use single-line output (easier to grep)
-x - include full packet dump (for debugging)
-X - display payload string (useful in RST mode)
-C - run signature collision check
-t - add timestamps to every entry
'Filter rule' is an optional pcap-style BPF expression (man tcpdump).
