To do this, you simply need to attempt establishing a connection to a box running p0f. The connection does not need to succeed. The current database is minimal, so all contributions are welcome. To collect these signatures, you need to compile the supplied p0f-sendsyn tool, and then use it to initiate a connection to an open port on a remote host; see README for more.
HTTP request signatures - especially for older or more exotic browsers e. MSIE5, mobile devices, gaming consoles , crawlers, command-line tools, and libraries. To collect a signature, you can run p0f on the client system itself, or on the web server it talks to.
HTTP response signatures. P0f ships with a minimal database here only Apache 2. Signatures are best collected for three separate cases: several minutes of casual browsing with a modern browser; a request with curl ; and another one with wget.
Just show me how it works, OK? Not all capabilities of p0f can be showcased here, and as noted, this release candidate still has a relatively small database of fingerprints. Every 2 minutes a couple confirms their relationship started on POF. How cool is that? Tap Install and Join Now. Happy Fishing. Full Specifications. What's new in version 1. Release July 24, Date Added June 1, Version 1. Operating Systems. Operating Systems Windows, Windows Total Downloads 6, Downloads Last Week Report Software.
Related Software. Skype for Windows 10 Free. Have the opportunity to see your friends at any time. Facebook Pro Free. Access your Facebook account quickly and easily.
You probably need to run the tool as root. Some of the most common use cases:. Command-line options may be followed by a single parameter containing a pcap-style traffic filtering rule. This allows you to reject some of the less interesting packets for performance or privacy reasons. Simple examples include: 'dst net API access The API allows other applications running on the same system to get p0f's current opinion about a particular host.
This is useful for integrating it with spam filters, web apps, and so on. The queries will be answered in the order they are received. Note that there is no response caching, nor any software limits in place on p0f end, so it is your responsibility to write reasonably well-behaved clients. Queries have exactly 21 bytes. The format is: - Magic dword 0x , in native endian of the platform.
IPv4 addresses should be aligned to the left. To such a query, p0f responds with: - Another magic dword 0x , native endian. Zero if not known. Zero if never detected. The value of 1 means OS difference possibly due to proxying , while 2 means an outright mismatch. NOTE: If the host is first seen using an known system and then switches to an unknown one, this field is not reset.
May be empty if no data. A simple reference implementation of an API client is provided in p0f-client. Developers using the API should be aware of several important constraints: - The maximum number of simultaneous API connections is capped to The limit may be adjusted with the -S parameter, but rampant parallelism may lead to poorly controlled latency; consider a single query pipeline, possibly with prioritization and caching.
You should look at your traffic stats and see if the defaults are suitable. You should also keep in mind that whenever you are subject to an ongoing DDoS or SYN spoofing DoS attack, p0f may end up dropping entries faster than you could query for them. It's that or running out of memory, so don't fret. The timeout is adjustable with -t, but you should not use the API to obtain ancient data; if you routinely need to go back hours or days, parse the logs instead of wasting RAM. Fingerprint database Whenever p0f obtains a fingerprint from the observed traffic, it defers to the data read from p0f.
The fingerprint database is a simple text file where lines starting with ; are ignored. Section identifiers are enclosed in square brackets, like so: [module:direction] module - the name of the fingerprinting module e. The 'direction' part is omitted for MTU signatures, as they work equally well both ways. The goal there is to give an answer slightly better than "unknown", but less precise than what the user may be expecting. Normal, reasonably specific signatures that can't be radically improved should have their type specified as 's'; while generic, last-resort ones should be tagged with 'g'.
Note that generic signatures are considered only if no specific matches are found in the database. To assist with this, OS-specific signatures should specify the OS architecture family here e.
Other signatures, such as HTTP, should use '! NOTE: To avoid variations e. Can be the version of the identified software, or a description of what the application seems to be doing e. P0f uses labels to group similar signatures that may be plausibly generated by the same system or application, and should not be considered a strong signal for NAT detection. To further assist the tool in deciding which OS and application combinations are reasonable, and which ones are indicative of foul play, any 'label' line for applications class '!
All sections except for 'name' are omitted for [mtu] signatures, which do not convey any OS-specific information, and just describe link types. Almost all operating systems use 64, , or ; ancient versions of Windows sometimes used 32, and several obscure systems sometimes resort to odd values such as Consider using traceroute to check that the distance is accurate, then sum up the values.
A handful of userspace tools will generate random TTLs. In these cases, determine maximum initial TTL and then add a - suffix to the value to avoid confusion. Usually zero for normal IPv4 traffic; always zero for IPv6 due to the limitations of libpcap. In this case, MSS will be used to guess the type of network hookup according to the [mtu] rules.
If the value is outside that range, you can probably copy it literally. Can be expressed as a fixed value, but many operating systems set it to a multiple of MSS or MTU, or a multiple of some random integer.
If frequent variations are seen, look for obvious patterns. Many systems alter between 2 or 3 scaling factors, in which case, it's better to have several 'sig' lines, rather than a wildcard. This is one of the most valuable TCP fingerprinting signals.
The packets we fingerprint right now normally have no payloads, but some corner cases exist. To gather new SYN 'request' signatures, simply connect to the fingerprinted system, and p0f will provide you with the necessary data.
This list should specify OS names that should be looked for within the User-Agent string if the string is otherwise deemed to be honest. This input is not used for fingerprinting, but aids NAT detection in some useful ways. The names have to match the names used in 'sig' specifiers across p0f.
0コメント