CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

What is p0f?

Passive OS Fingerprinting (p0f) is the passive collection of layer 4 configuration attributes that can be used to deduce the operating system that is communicating over the network.  p0f uses TCP/IP header information such as initial packet size, window size, and flags to form a signature, or fingerprint, for that operating system. 

Description

libp0f is a library implementation of p0f version 2 retrieved from http://lcamtuf.coredump.cx/p0f.shtml.  This library splits the core p0f functionality from the p0f application in order to support 3rd-party linkage.  The p0f library is installed as libp0f.so into /usr/local/lib by default.  libp0f does not change any of the fingerprinting algorithms from p0f version 2, nor has it upgraded any of the p0f fingerprints.  Do not install both the p0f application and the library.  The library is required for use with YAF.  To enable p0f in YAF, configure YAF with --enable-p0fprinter, and run YAF with --p0fprint. 

Source Code

p0flib.tgz

Installing libp0f

./configure
make
make install

Configuring YAF with libp0f

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
[or location of libp0f.pc]
export LD_LIBRARY_PATH=/usr/local/lib
[or location of libp0f.so]
./configure --enable-applabel --enable-p0fprinter
make
make install

It may be necessary to set the PKG_CONFIG_PATH and LD_LIBRARY_PATH environment variables for YAF to find libp0f.

Running YAF with p0f

./yaf --in /path/to/pcap --out out.yaf --applabel --p0fprint --max-payload=500

Running YAF with p0f will export 6 new fields, OS Name, OS Version, OS Fingerprint, Reverse OS Name, Reverse OS Version, and Reverse OS Fingerprint, in the p0f template of the SubTemplateMultiList (see here for more info on YAF templates).
YAF will export these new fields only if it finds a match.  SiLK currently does not have support for these fields.  Checkout the following links to YAF mediators that will allow you to collect and view the p0f fields:

YAF File Mediator

YAF to MySQL Mediator

Contact

If you have bug reports, patches, feedback, or questions please send them to netsa-help@cert.org.