Update to "1.8 final release". Change master site. Add new home

page.  Install new man page.  Be verbose.  Add patch to fix new -o
option.  Update patch to README (the old one was integrated upstream).
The new patches have been sent to William Stearns.
This commit is contained in:
Trevor Johnson 2002-01-21 08:47:53 +00:00
parent 0c6b0118e1
commit 508c4a1756
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=53438
10 changed files with 70 additions and 614 deletions

View file

@ -7,28 +7,29 @@
PORTNAME= p0f
PORTVERSION= 1.8
PORTREVISION= 1
CATEGORIES= net
MASTER_SITES= http://lcamtuf.hack.pl/
DISTNAME= ${PORTNAME}
MASTER_SITES= http://www.stearns.org/p0f/
EXTRACT_SUFX= .tgz
MAINTAINER= trevor@FreeBSD.org
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
MAN1= p0f.1
post-patch:
@${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
${WRKSRC}/README \
${WRKSRC}/p0f.c
do-install:
@${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
@${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
${INSTALL_MAN} ${WRKSRC}/${MAN1} ${MANPREFIX}/man/man1
post-install:
.if !defined(NOPORTDOCS)
@${MKDIR} ${PREFIX}/share/doc/p0f
@${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
${MKDIR} ${PREFIX}/share/doc/p0f
${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
.endif
.include <bsd.port.mk>

View file

@ -1 +1 @@
MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822
MD5 (p0f-1.8.tgz) = a800396508a9d4bd4e4204a76ea79c2e

View file

@ -1,302 +1,11 @@
patch to version 1.8.test9
- mention the FreeBSD port
- mention that BSD make, not just GNU make, is adequate
- some rewording for clarity, not intended to change meaning
- reformatting of white space, mostly done with "fmt 79 80"
- spelling changes, mostly suggested by ispell
--- README.old Thu Nov 22 16:37:28 2001
+++ README Wed Jan 9 12:10:53 2002
@@ -18,17 +18,17 @@
Project Status
--------------
--- README.old Thu Jan 17 21:58:09 2002
+++ README Sun Jan 20 23:30:58 2002
@@ -94,7 +94,7 @@
- As for today, this packet is hosted and maintained by William Stearns
- <wstearns@pobox.com>. Original code comes from Michal Zalewski
- <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
- bugfixes, ideas, etc =)
+ This program is now hosted and maintained by William Stearns
+ <wstearns@pobox.com>. It was originally written by Michal Zalewski
+ <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
+ bug-fixes, ideas, etc. =)
-----------------
Special thanks to
-----------------
- * Lance Spitzner for whitepaper on passive OS fingerprinting:
+ * Lance Spitzner for white paper on passive OS fingerprinting:
http://www.enteract.com/~lspitz/finger.html
* tf8 for initial piece of libpcap support and packet parsing
@@ -36,7 +36,7 @@
* teso/security.is/b0f/#hax for ideas and testing
* Jeremy Weatherford, Chris Wilson and Szilveszter Adam for
- portability testing/patches, bugfixes and ideas,
+ portability testing/patches, bug-fixes and ideas,
* other BUGTRAQ readers for OS fingerprints and useful patches
@@ -49,126 +49,127 @@
Background
----------
- * What is passive OS fingerprinting?
-
- Passive OS fingerprinting technique is based on information coming
- from remote host when it tries to establish a connection to your system.
- Captured packet parameters contain enough information to determine
- remote OS - and, unlike active scanners (nmap, queSO) - this is done
- without sending anything to this host.
-
- If you're looking for more information on this approach, read Spitzner's
- whitepaper at http://www.enteract.com/~lspitz/finger.html :)
-
+ * What is passive OS fingerprinting?
+
+ The passive OS fingerprinting technique is based on information coming from a
+ remote host when it tries to establish a connection to your system. Captured
+ packet parameters contain enough information to identify the remote OS. In
+ contrast to active scanners such as nmap and queSO, p0f does this without
+ sending anything to the remote host.
+
+ If you're looking for more information on this approach, read Spitzner's white
+ paper (mentioned above). :)
+
In short, there are certain TCP/IP flag settings specific for given systems.
- Usually initial TTL (8 bits), window size (16 bits), maximum segment size
- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option
- (1 bit), window scaling option (8 bits), initial packet size (16 bits)
- vary from one TCP stack implementation to another, and, combined together,
- give unique, 67-bit signature for every system.
-
- Some portions of p0f code are currently used by IDS systems and
- sniffer software.
-
- * What are main advantages?
-
- Passive OS fingerprinting can be done on huge portions of input data - eg.
- information gathered on firewall, proxy, routing device or Internet server,
- without causing any network activity. You can launch passive OS detection
- software on such machine and leave it for days, weeks or months, collecting
- really interesting statistical information about your customers, about
- attackers, other servers, etc. What's really funny - packet filtering
- firewalls, network address translation and so on are almost always
- transparent to p0f-alike software, so you're able to obtain information
- about systems behind the firewall. Also, such software can determine
- distance between remote host and your system, allowing you to generate
- network structure maps for firewalled/structural networks. And all without
- sending a single packet. Nice, especially for IDSes.
+ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16
+ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit),
+ window scaling option (8 bits), and initial packet size (16 bits) vary from
+ one TCP stack implementation to another. Together, they give a unique, 67-bit
+ signature for every system.
+
+ Some portions of the p0f code are currently used by IDS systems and sniffer
+ software.
+
+ * What are the main advantages?
+
+ Passive OS fingerprinting can be done on huge amounts of input data - for
+ example, information gathered on a firewall, proxy, routing device or Internet
+ server - without causing any network activity. You can launch passive OS
+ detection software on such a machine and leave it for days, weeks or months,
+ collecting really interesting statistical information about your customers,
+ attackers, other servers, etc. Since packet filtering firewalls, network
+ address translation and so on are almost always transparent to p0f-alike
+ software, you're able to obtain information about systems behind the firewall.
+ Also, such software can determine the distance between a remote host and your
+ system, allowing you to generate network structure maps for
+ firewalled/structural networks. All this can be done without sending a single
+ packet. It is especially nice for IDSes.
-----------
Limitations
-----------
- Proxy firewalls and other high-level proxy devices are not transparent to
- any TCP-level fingerprinting software. The device itself will be
- fingerprinted, not actual source hosts.
-
+ Proxy firewalls and other high-level proxy devices are not transparent to any
+ TCP-level fingerprinting software. The device itself will be fingerprinted,
+ not actual source hosts.
+
In order to obtain information required for fingerprinting, you have to
- receive at least one SYN packet initializing TCP connection to your
- machine or network. Note: you don't have to respond to particular SYN.
- Of course, it's impossible to perform any kind of OS detection witout
- receiving any information.
-
- It is possible to perform passive fingerprinting on live TCP connection, or
- on a connection established by you to a remote host. However, these
- techniques are less reliable (many implementations copy parameters from
- the first SYN packet; other parameters change rapidly with time).
-
-
------------------------------------------
-Is there anything special about this one?
------------------------------------------
-
- There is another passive OS detection utility, called 'siphon'. It's
- pretty good piece of proof-of-concept software, but it isn't perfect. Well,
- p0f isn't perfect for sure, but features some improvements:
-
+ receive at least one SYN packet initializing TCP connection to your machine or
receive at least one SYN packet initiating a TCP connection to your machine or
- or network. Note: you don't have to respond to this particular SYN. Of course,
+ network. Note: you don't have to respond to this particular SYN. Of course,
+ it's impossible to perform any kind of OS detection without receiving any
+ information.
+
+ It is possible to perform passive fingerprinting on a live TCP connection, or
+ on a connection established by you to a remote host. However, these techniques
+ are less reliable (many implementations copy parameters from the first SYN
+ packet; other parameters change rapidly with time).
+
+
+---------------------------------------------
+Is there anything special about this program?
+---------------------------------------------
+
+ There is another passive OS detection utility, called 'siphon'. It's a pretty
+ good piece of proof-of-concept software, but it isn't perfect. Well, p0f
+ isn't perfect for sure, but features some improvements:
+
- it's single-threaded and pretty clean,
-
+
- works properly on Linuxes (siphon has a problem with bpf on 2.2), as
well as on BSD systems and SunOS/Solaris,
-
+
- has pretty large and detailed fingerprints database,
-
+
- uses more information for fingerprinting (42 extra bits),
-
+
- it's more accurate,
-
+
- you can define your own filtering rules in the tcpdump flavour:
- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and
- listening interface (using option -i).
-
- What more? Dunno :) Simply, check it out.
+ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening
+ interface (using option -i).
+
+ What more? Dunno. :) Simply, check it out.
it's impossible to perform any kind of OS detection without receiving any
information.
------------
Not working!
------------
- Probably p0f isn't working well on every platform in the world; first
- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package).
- In this case, simply issue:
-
- ln -s /usr/include/pcap/pcap.h /usr/include/
- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
-
- NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
- please send OS signature and system description to author. Thanks :)
-
+ Probably p0f isn't working well on every platform in the world. First of all,
+ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
+ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat
+ 6.1 package). In this case, simply issue:
+
+ ln -s /usr/include/pcap/pcap.h /usr/include/
+ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
+
+ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all,
+ please send the OS signature and system description to the author. Thanks. :)
+
Tested platforms:
- NetBSD
- FreeBSD
+ in the ports collection
- OpenBSD
- Linux 2.0/2.2/2.4
http://www.stearns.org/p0f/
- Solaris 2.6-2.7
- LinuxPPC
http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html
-
- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x;
- GNU egrep (for proper Makefile processing)
-
+ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD
+ make; GNU egrep (for proper Makefile processing)
+
+
-------------
Configuration
-------------
- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
- inside:
-
+ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp .
+ Its format is described below:
+
#
# p0f - passive OS fingerprinting
# -------------------------------
@@ -208,9 +209,9 @@
# W - window scaling (-1=not present, other=value)
# S - sackOK flag (0=unset, 1=set)
# N - nop flag (0=unset, 1=set)
- # I - declared packet size (-1 = irrevelant)
+ # I - declared packet size (-1 = irrelevant)
#
-
+
--------------------
What should be done?
@@ -218,22 +219,22 @@
- Colorful interface, of course ;)
- Packet sizes added for old fingerprints
- - Manpage and other user-friendly features
+ - Man page and other user-friendly features
-------------------
License, disclaimer
-------------------
- The p0f utility and related utilities are free software; you can
- redistribute it and/or modify it under the terms of the GNU Library
- General Public License as published by the Free Software Foundation;
- either version 2 of the License, or (at your option) any later version.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM,
- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ The p0f utility and related utilities are free software; you can redistribute
+ it and/or modify it under the terms of the GNU Library General Public License
+ as published by the Free Software Foundation; either version 2 of the License,
+ or (at your option) any later version.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
+ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ IN THE SOFTWARE.

View file

@ -0,0 +1,16 @@
--- p0f.c.orig Thu Jan 17 21:05:58 2002
+++ p0f.c Mon Jan 21 00:22:56 2002
@@ -348,10 +348,9 @@
T_tstamp = 1;
break;
case 'o':
- { FILE* x;
- x=fopen(optarg,"a");
- if (!x) { perror(optarg); exit(1); }
- stdout=x;
+ if (!freopen(optarg,"a",stdout)) {
+ perror(optarg);
+ exit(1);
}
break;
default:

View file

@ -19,3 +19,5 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml
if you do not understand how this can be harmful. Running p0f with
no options will cause it to analyse packets intended for other
hosts.
WWW: http://www.stearns.org/p0f/

View file

@ -7,28 +7,29 @@
PORTNAME= p0f
PORTVERSION= 1.8
PORTREVISION= 1
CATEGORIES= net
MASTER_SITES= http://lcamtuf.hack.pl/
DISTNAME= ${PORTNAME}
MASTER_SITES= http://www.stearns.org/p0f/
EXTRACT_SUFX= .tgz
MAINTAINER= trevor@FreeBSD.org
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
MAN1= p0f.1
post-patch:
@${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
${WRKSRC}/README \
${WRKSRC}/p0f.c
do-install:
@${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
@${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
${INSTALL_MAN} ${WRKSRC}/${MAN1} ${MANPREFIX}/man/man1
post-install:
.if !defined(NOPORTDOCS)
@${MKDIR} ${PREFIX}/share/doc/p0f
@${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
${MKDIR} ${PREFIX}/share/doc/p0f
${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
.endif
.include <bsd.port.mk>

View file

@ -1 +1 @@
MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822
MD5 (p0f-1.8.tgz) = a800396508a9d4bd4e4204a76ea79c2e

View file

@ -1,302 +1,11 @@
patch to version 1.8.test9
- mention the FreeBSD port
- mention that BSD make, not just GNU make, is adequate
- some rewording for clarity, not intended to change meaning
- reformatting of white space, mostly done with "fmt 79 80"
- spelling changes, mostly suggested by ispell
--- README.old Thu Nov 22 16:37:28 2001
+++ README Wed Jan 9 12:10:53 2002
@@ -18,17 +18,17 @@
Project Status
--------------
--- README.old Thu Jan 17 21:58:09 2002
+++ README Sun Jan 20 23:30:58 2002
@@ -94,7 +94,7 @@
- As for today, this packet is hosted and maintained by William Stearns
- <wstearns@pobox.com>. Original code comes from Michal Zalewski
- <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
- bugfixes, ideas, etc =)
+ This program is now hosted and maintained by William Stearns
+ <wstearns@pobox.com>. It was originally written by Michal Zalewski
+ <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
+ bug-fixes, ideas, etc. =)
-----------------
Special thanks to
-----------------
- * Lance Spitzner for whitepaper on passive OS fingerprinting:
+ * Lance Spitzner for white paper on passive OS fingerprinting:
http://www.enteract.com/~lspitz/finger.html
* tf8 for initial piece of libpcap support and packet parsing
@@ -36,7 +36,7 @@
* teso/security.is/b0f/#hax for ideas and testing
* Jeremy Weatherford, Chris Wilson and Szilveszter Adam for
- portability testing/patches, bugfixes and ideas,
+ portability testing/patches, bug-fixes and ideas,
* other BUGTRAQ readers for OS fingerprints and useful patches
@@ -49,126 +49,127 @@
Background
----------
- * What is passive OS fingerprinting?
-
- Passive OS fingerprinting technique is based on information coming
- from remote host when it tries to establish a connection to your system.
- Captured packet parameters contain enough information to determine
- remote OS - and, unlike active scanners (nmap, queSO) - this is done
- without sending anything to this host.
-
- If you're looking for more information on this approach, read Spitzner's
- whitepaper at http://www.enteract.com/~lspitz/finger.html :)
-
+ * What is passive OS fingerprinting?
+
+ The passive OS fingerprinting technique is based on information coming from a
+ remote host when it tries to establish a connection to your system. Captured
+ packet parameters contain enough information to identify the remote OS. In
+ contrast to active scanners such as nmap and queSO, p0f does this without
+ sending anything to the remote host.
+
+ If you're looking for more information on this approach, read Spitzner's white
+ paper (mentioned above). :)
+
In short, there are certain TCP/IP flag settings specific for given systems.
- Usually initial TTL (8 bits), window size (16 bits), maximum segment size
- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option
- (1 bit), window scaling option (8 bits), initial packet size (16 bits)
- vary from one TCP stack implementation to another, and, combined together,
- give unique, 67-bit signature for every system.
-
- Some portions of p0f code are currently used by IDS systems and
- sniffer software.
-
- * What are main advantages?
-
- Passive OS fingerprinting can be done on huge portions of input data - eg.
- information gathered on firewall, proxy, routing device or Internet server,
- without causing any network activity. You can launch passive OS detection
- software on such machine and leave it for days, weeks or months, collecting
- really interesting statistical information about your customers, about
- attackers, other servers, etc. What's really funny - packet filtering
- firewalls, network address translation and so on are almost always
- transparent to p0f-alike software, so you're able to obtain information
- about systems behind the firewall. Also, such software can determine
- distance between remote host and your system, allowing you to generate
- network structure maps for firewalled/structural networks. And all without
- sending a single packet. Nice, especially for IDSes.
+ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16
+ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit),
+ window scaling option (8 bits), and initial packet size (16 bits) vary from
+ one TCP stack implementation to another. Together, they give a unique, 67-bit
+ signature for every system.
+
+ Some portions of the p0f code are currently used by IDS systems and sniffer
+ software.
+
+ * What are the main advantages?
+
+ Passive OS fingerprinting can be done on huge amounts of input data - for
+ example, information gathered on a firewall, proxy, routing device or Internet
+ server - without causing any network activity. You can launch passive OS
+ detection software on such a machine and leave it for days, weeks or months,
+ collecting really interesting statistical information about your customers,
+ attackers, other servers, etc. Since packet filtering firewalls, network
+ address translation and so on are almost always transparent to p0f-alike
+ software, you're able to obtain information about systems behind the firewall.
+ Also, such software can determine the distance between a remote host and your
+ system, allowing you to generate network structure maps for
+ firewalled/structural networks. All this can be done without sending a single
+ packet. It is especially nice for IDSes.
-----------
Limitations
-----------
- Proxy firewalls and other high-level proxy devices are not transparent to
- any TCP-level fingerprinting software. The device itself will be
- fingerprinted, not actual source hosts.
-
+ Proxy firewalls and other high-level proxy devices are not transparent to any
+ TCP-level fingerprinting software. The device itself will be fingerprinted,
+ not actual source hosts.
+
In order to obtain information required for fingerprinting, you have to
- receive at least one SYN packet initializing TCP connection to your
- machine or network. Note: you don't have to respond to particular SYN.
- Of course, it's impossible to perform any kind of OS detection witout
- receiving any information.
-
- It is possible to perform passive fingerprinting on live TCP connection, or
- on a connection established by you to a remote host. However, these
- techniques are less reliable (many implementations copy parameters from
- the first SYN packet; other parameters change rapidly with time).
-
-
------------------------------------------
-Is there anything special about this one?
------------------------------------------
-
- There is another passive OS detection utility, called 'siphon'. It's
- pretty good piece of proof-of-concept software, but it isn't perfect. Well,
- p0f isn't perfect for sure, but features some improvements:
-
+ receive at least one SYN packet initializing TCP connection to your machine or
receive at least one SYN packet initiating a TCP connection to your machine or
- or network. Note: you don't have to respond to this particular SYN. Of course,
+ network. Note: you don't have to respond to this particular SYN. Of course,
+ it's impossible to perform any kind of OS detection without receiving any
+ information.
+
+ It is possible to perform passive fingerprinting on a live TCP connection, or
+ on a connection established by you to a remote host. However, these techniques
+ are less reliable (many implementations copy parameters from the first SYN
+ packet; other parameters change rapidly with time).
+
+
+---------------------------------------------
+Is there anything special about this program?
+---------------------------------------------
+
+ There is another passive OS detection utility, called 'siphon'. It's a pretty
+ good piece of proof-of-concept software, but it isn't perfect. Well, p0f
+ isn't perfect for sure, but features some improvements:
+
- it's single-threaded and pretty clean,
-
+
- works properly on Linuxes (siphon has a problem with bpf on 2.2), as
well as on BSD systems and SunOS/Solaris,
-
+
- has pretty large and detailed fingerprints database,
-
+
- uses more information for fingerprinting (42 extra bits),
-
+
- it's more accurate,
-
+
- you can define your own filtering rules in the tcpdump flavour:
- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and
- listening interface (using option -i).
-
- What more? Dunno :) Simply, check it out.
+ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening
+ interface (using option -i).
+
+ What more? Dunno. :) Simply, check it out.
it's impossible to perform any kind of OS detection without receiving any
information.
------------
Not working!
------------
- Probably p0f isn't working well on every platform in the world; first
- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package).
- In this case, simply issue:
-
- ln -s /usr/include/pcap/pcap.h /usr/include/
- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
-
- NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
- please send OS signature and system description to author. Thanks :)
-
+ Probably p0f isn't working well on every platform in the world. First of all,
+ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
+ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat
+ 6.1 package). In this case, simply issue:
+
+ ln -s /usr/include/pcap/pcap.h /usr/include/
+ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
+
+ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all,
+ please send the OS signature and system description to the author. Thanks. :)
+
Tested platforms:
- NetBSD
- FreeBSD
+ in the ports collection
- OpenBSD
- Linux 2.0/2.2/2.4
http://www.stearns.org/p0f/
- Solaris 2.6-2.7
- LinuxPPC
http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html
-
- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x;
- GNU egrep (for proper Makefile processing)
-
+ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD
+ make; GNU egrep (for proper Makefile processing)
+
+
-------------
Configuration
-------------
- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
- inside:
-
+ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp .
+ Its format is described below:
+
#
# p0f - passive OS fingerprinting
# -------------------------------
@@ -208,9 +209,9 @@
# W - window scaling (-1=not present, other=value)
# S - sackOK flag (0=unset, 1=set)
# N - nop flag (0=unset, 1=set)
- # I - declared packet size (-1 = irrevelant)
+ # I - declared packet size (-1 = irrelevant)
#
-
+
--------------------
What should be done?
@@ -218,22 +219,22 @@
- Colorful interface, of course ;)
- Packet sizes added for old fingerprints
- - Manpage and other user-friendly features
+ - Man page and other user-friendly features
-------------------
License, disclaimer
-------------------
- The p0f utility and related utilities are free software; you can
- redistribute it and/or modify it under the terms of the GNU Library
- General Public License as published by the Free Software Foundation;
- either version 2 of the License, or (at your option) any later version.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM,
- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ The p0f utility and related utilities are free software; you can redistribute
+ it and/or modify it under the terms of the GNU Library General Public License
+ as published by the Free Software Foundation; either version 2 of the License,
+ or (at your option) any later version.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
+ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ IN THE SOFTWARE.

16
net/p0f/files/patch-p0f.c Normal file
View file

@ -0,0 +1,16 @@
--- p0f.c.orig Thu Jan 17 21:05:58 2002
+++ p0f.c Mon Jan 21 00:22:56 2002
@@ -348,10 +348,9 @@
T_tstamp = 1;
break;
case 'o':
- { FILE* x;
- x=fopen(optarg,"a");
- if (!x) { perror(optarg); exit(1); }
- stdout=x;
+ if (!freopen(optarg,"a",stdout)) {
+ perror(optarg);
+ exit(1);
}
break;
default:

View file

@ -19,3 +19,5 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml
if you do not understand how this can be harmful. Running p0f with
no options will cause it to analyse packets intended for other
hosts.
WWW: http://www.stearns.org/p0f/