File: p0f.1

package info (click to toggle)
p0f 3.09b-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 524 kB
  • sloc: ansic: 4,841; sh: 230; makefile: 20
file content (136 lines) | stat: -rw-r--r-- 5,269 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
 
.TH P0F 1
.SH NAME
p0f \- identify remote systems passively
.SH SYNOPSIS
.B p0f
.I p0f [ \-f file ] [ \-i device ] [ \-r file ] [ \-o file ] [ \-s socket ] [ \-u user ] [ \-S limit ] [ \-t c,h ] [ \-m c,h ] [ \-pdL ] [ 'filter rule' ]
.br
.SH "DESCRIPTION"
.PP
.B p0f
uses a fingerprinting technique based on analyzing the structure of a TCP/IP
packet to determine the operating system and other configuration properties
of a remote host. The process is completely passive and does not generate
any suspicious network traffic. The other host has to either:

\- connect to your network \- either spontaneously or in an induced manner, for
example when trying to establish a ftp data stream, returning a bounced
mail, performing auth lookup, using IRC DCC, external html mail image
reference and so on,

\- or be contacted by some entity on your network using some standard means
(such as a web browsing); it can either accept or refuse the connection.
.PP
The method can see thru packet firewalls and does not have the restrictions
of an active fingerprinting. The main uses of passive OS fingerprinting
are attacker profiling (IDS and honeypots), visitor profiling (content
optimization), customer/user profiling (policy enforcement), pen\-testing,
etc.
.SH OPTIONS
.TP
\fB\-f\fR file
read fingerprints from file; by default, p0f reads signatures
from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems
only). You can use this to load custom fingerprint data.
Specifying multiple \-f values will NOT combine several signature
files together.
.TP
\fB\-i\fR device
listen on this device; p0f defaults to whatever device libpcap
considers to be the best (and which often isn't). On some newer
systems you might be able to specify 'any' to listen on all
devices, but don't rely on this. Specifying multiple \-i values
will NOT cause p0f to listen on several interfaces at once.
.TP
\fB\-r\fR file
read packets from tcpdump snapshot; this is an alternate
mode of operation, in which p0f reads packet from pcap
data capture file, instead of a live network. Useful for
forensics (this will parse tcpdump \-w output, for example).

You can use Ethereal's text2pcap to convert human\-readable
packet traces to pcap files, if needed.
.TP
\fB\-o\fR file
write to this logfile. This option is required for \-d and
implies \-t.
.TP
\fB\-s\fR socket
listen on a specified local stream socket (a filesystem object,
for example /var/run/p0f\-sock) for queries. One can later send a
packet to this socket with p0f_query structure from p0f\-query.h,
and wait for p0f_response. This is a method of integrating p0f
with active services (web server or web scripts, etc). P0f will
still continue to report signatures the usual way \- but you can
use \-qKU combination to suppress this. Also see \-c notes.

A sample query tool (p0f-client) is provided in the tools/
subdirectory.

NOTE: The socket will be created with permissions corresponding
to your current umask. If you want to restrict access to this
interface, use caution.
.TP
\fB\-u\fR user
this option forces p0f to chroot to this user's home directory
after reading configuration data and binding to sockets, then to
switch to his UID, GID and supplementary groups.

This is a security feature for the paranoid \- when running
p0f in daemon mode, you might want to create a new
unprivileged user with an empty home directory, and limit the
exposure when p0f is compromised. That said, should such a
compromise occur, the attacker will still have a socket he can
use for sniffing some network traffic (better than rm \-rf /).
.TP
\fB\-p\fR
switch card to promiscuous mode; by default, p0f listens
only to packets addressed or routed thru the machine it
runs on. This setting might decrease performance, depending
on your network design and load. On switched networks,
this usually has little or no effect.

Note that promiscuous mode on IP\-enabled interfaces can be
detected remotely, and is sometimes not welcome by network
administrators.
.TP
\fB\-d\fR
go into daemon mode (detach from current terminal and fork into
background). Requires \-o or \-s.
.TP
\fB\-L\fR
lists all available interfaces, then quits. Particularly useful on
Windows, where the system-generated interface names are impossible
to memorize.
.TP
\fB\-S\fR limit
Limit number of parallel API connections (default: 20)
.TP
\fB\-t\fR c,h
Set connection / host cache age limits (default: 30s,120m)
.TP
\fB\-m\fR c,h
Limit the number of active connections / hosts (default: 1000,10000)
.SH FILTERS
The last part, 'filter rule', is a bpf\-style filter expression for
incoming packets. It is very useful for excluding or including certain
networks, hosts, or specific packets, in the logfile. See man tcpdump for
more information, few examples:

\'src port ftp\-data\'

\'not dst net 10.0.0.0 mask 255.0.0.0\'

\'dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )\'
.SH BUGS
You need to consult the documentation for an up\-to\-date list of issues.
.SH FILES
.TP
.BI /etc/p0f/p0f.fp
default fingerprint database file
.SH AUTHOR
.B p0f
was written by Michal Zalewski <lcamtuf@coredump.cx>.  This man page was
originally written by William Stearns <wstearns@pobox.com>, then
adopted for p0f v2 by Michal Zalewski, and p0f v3 by Pierre Chifflier.