What is p0f?

Passive OS Fingerprinting (p0f) is the passive collection of layer 4 configuration attributes that can be used to deduce the operating system that is communicating over the network. p0f uses TCP/IP header information such as initial packet size, window size, and flags to form a signature, or fingerprint, for that operating system.

Description

libp0f is a library implementation of p0f version 2 retrieved from http://lcamtuf.coredump.cx/p0f3/. This library splits the core p0f functionality from the p0f application in order to support 3rd-party linkage. The p0f library is installed as libp0f.so into /usr/local/lib by default. libp0f does not change any of the fingerprinting algorithms from p0f version 2, nor has it upgraded any of the p0f fingerprints. Do not install both the p0f application and the library. The library is required for use with YAF. To enable p0f in YAF, configure YAF with --with-p0f, and run YAF with --p0fprint. (For versions of YAF prior to 3.0.0, configure YAF with --enable-p0fprinter to use the libp0f.)

Source Code

p0flib.tar.gz (808.1KiB gz)
The libp0f source code (2012-03-26)

(SHA256=61f4069ccdd0c38133b3e4b776f9e127c321c2963c284e2ae6491facd5faca36)

Installing libp0f

./configure
make
make install

Run configure with --help to see the configuration options.

Configuring YAF with libp0f

For YAF-3.x, assuming you have installed libp0f in /usr/local: 

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
export LD_LIBRARY_PATH=/usr/local/lib
./configure --enable-applabel --with-p0f
make
make install

where the PKG_CONFIG_PATH and LD_LIBRARY_PATH environment variables are set to help YAF find libp0f. The PKG_CONFIG_PATH specifies the directory of the libp0f.pc file, and LD_LIBRARY_PATH specifies the directory of the libp0f.so library.

Use the same commands for YAF-2.x and older except use the --enable-p0fprinter option to configure: 

./configure --enable-applabel --enable-p0fprinter

Running YAF with p0f

./yaf --in /path/to/pcap --out out.yaf --applabel --p0fprint --max-payload=500

Running YAF with p0f will export 6 new fields, OS Name, OS Version, OS Fingerprint, Reverse OS Name, Reverse OS Version, and Reverse OS Fingerprint, in the p0f template of the SubTemplateMultiList (see the yaf man page for more info on YAF templates).

YAF will export these new fields only if it finds a match. super_mediator supports these fields. Alternatively, checkout the following links to YAF mediators that will allow you to collect and view the p0f fields:

  • YAF File Mediator
  • YAF to MySQL Mediator