p0f

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:

• Hosts that connect to your machine (SYN mode),

• Hosts you connect to (SYN+ACK mode),

• Hosts you cannot connect to (RST+ mode),

• Hosts whose communications you can observe.

P0f can also do many other tricks, and can detect or measure the following:

• Firewall presence, NAT use (useful for policy enforcement),

• The existence of a load balancer setup,

• The distance to the remote system and its uptime,

• Other host's network connection details (DSL, OC3, ISP etc.).

Installation:

p0f is available from here.

p0f requires libpcap to be already installed on your machine. The location of pcap-bpf.h is required as you must alter the default location in the p0f.c file for the installation to succeed.

locate pcap-bpf.h    returns

/usr/include/pcap-bpf.h

tar -zxvf p0f.tgz
 

vi p0f.c

edit line:39  net/bpf.h to be /usr/include/pcap-bpf.h  or location of this on your machine

make

make install

Execution

Usage:

./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ]

[ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ]

[ -c size ] [ -T nn ] [ 'filter rule' ]

Options:

    -f file - read fingerprints from file

    -i device - listen on this device

    -s file - read packets from tcpdump snapshot

    -o file - write to this logfile (implies -t)

    -w file - save packets to tcpdump snapshot

    -u user - chroot and setuid to this user

    -Q sock - listen on local socket for queries

    -c size - cache size for -Q and -M options

    -M - run masquerade detection

    -T nn - set masquerade detection threshold (1-200)

    -V - verbose masquerade flags reporting

    -F - use fuzzy matching (do not combine with -R)

    -N - do not report distances and link media

    -D - do not report OS details (just genre)

    -U - do not display unknown signatures

    -K - do not display known signatures (for tests)

    -S - report signatures even for known systems

    -A - go into SYN+ACK mode (semi-supported)

    -R - go into RST/RST+ACK mode (semi-supported)

    -O - go into stray ACK mode (barely supported)

    -r - resolve host names (not recommended)

    -q - be quiet - no banner

    -v - enable support for 802.1Q VLAN frames

    -p - switch card to promiscuous mode

    -d - daemon mode (fork into background)

    -l - use single-line output (easier to grep)

    -x - include full packet dump (for debugging)

    -X - display payload string (useful in RST mode)

    -C - run signature collision check

    -t - add timestamps to every entry

    'Filter rule' is an optional pcap-style BPF expression (man tcpdump).