by this fingerprinting utility, inspection of real-time data or an .pcap file can give as output informations about a system.
In this example, we have sniffed WAN interface of our Internet router. The tool passively recognize an OS from traces and behaviors in TCP packets.
[lab@ethprobe ~]$ sudo p0f -r /tmp/wires_3.pcap
[sudo] password for lab:
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---
[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Will read pcap data from file '/tmp/wires_3.pcap'.
[+] Default packet filtering configured [+VLAN].
[+] Processing capture data.
.-[ x.x.x.x/52982 -> x.x.x.x/443 (syn) ]-
|
| client = x.x.x.x/52982
| os = Linux 2.6.x
| dist = 2
| params = none
| raw_sig = 4:62+2:0:1460:mss*4,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
.-[ x.x.x.x/33243 -> x.x.x.x/443 (mtu) ]-
|
| server = x.x.x.x/443
| link = generic tunnel or VPN
| raw_mtu = 1420
|
`----
.-[ x.x.x.x/48831 -> x.x.x.x/443 (mtu) ]-
|
| server = x.x.x.x/443
| link = Ethernet or modem
| raw_mtu = 1500
|
`----
.-[ x.x.x.x/51853 -> x.x.x.x/443 (syn) ]-
|
| client = x.x.x.x/51853
| os = Windows NT kernel
| dist = 6
| params = generic
| raw_sig = 4:122+6:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0
|
`----
.-[ x.x.x.x/55602 -> x.x.x.x/443 (syn) ]-
|
| client = x.x.x.x/55602
| os = Windows 7 or 8
| dist = 1
| params = none
| raw_sig = 4:127+1:0:1460:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0
|
`----
Cool stuff!
.glitchlist crew