p0f/0040755000175100017500000000000010477537064011143 5ustar lcamtufusersp0f/Build0100755000175100017500000000254010406213542012106 0ustar lcamtufusers#!/bin/sh # # p0f - main build script # ----------------------- # # This script determines OS name and checks for the appropriate # makefile in mk/. # # (C) Copyright 2000-2006 by Michal Zalewski # SYSTEM=`uname -s 2>/dev/null` test "$SYSTEM" = "" && SYSTEM="unknown" test -f /lib/libcygwin.a && SYSTEM=CYGWIN echo "Your system type is: $SYSTEM" if [ ! -f mk/$SYSTEM ]; then echo echo "This system is not currently supported. You can try to compile the" echo "program by trying one of the other supported options:" echo cd mk ls | cat echo echo "To do so, type 'make -f mk/XXX' or 'gmake -f mk/XXX', where XXX is the" echo "name of the system you have selected (case sensitive). If you manage to" echo "successfully compile the program, please let us know!" echo exit 1 fi GMAKE_OK=`which gmake 2>/dev/null` USE_BPF="pcap-bpf.h" if [ ! -f "/usr/include/$USE_BPF" -a ! -f "/usr/local/include/$USE_BPF" ]; then USE_BPF="net/bpf.h" fi export USE_BPF echo echo "Please help with p0f 2:" echo " http://lcamtuf.coredump.cx/p0f-help/ " echo if [ ! -x "$GMAKE_OK" ]; then echo "GNU make not found; failing back to regular (BSD?) make." exec make -f mk/$SYSTEM "$@" else echo "GNU make found at $GMAKE_OK, trying to use it..." exec gmake -f mk/$SYSTEM "$@" fi echo "Error: failed to execute gmake or make." exit 1 p0f/config.h0100644000175100017500000000570410477514015012553 0ustar lcamtufusers/* p0f - configuration ------------------- The defaults are rather sane. Be careful when changing them. Copyright (C) 2003-2006 by Michal Zalewski */ #ifndef _HAVE_CONFIG_H #define _HAVE_CONFIG_H #define VER "2.0.8" /* Paths and names to config files */ #ifdef WIN32 # define CONFIG_DIR "." #else # define CONFIG_DIR "/etc/p0f" #endif /* WIN32 */ #define SYN_DB "p0f.fp" #define SYNACK_DB "p0fa.fp" #define RST_DB "p0fr.fp" #define OPEN_DB "p0fo.fp" /* Maximum number of signatures allowed in the config file */ #define MAXSIGS 1024 /* Max signature line length */ #define MAXLINE 1024 /* Maximum distance from a host to be taken seriously. Between 35 and 64 is sane. Making it too high might result in some (very rare) false positives, too low will result in needless UNKNOWNs. */ #define MAXDIST 40 /* Maximum number of TCP packet options. Some systems really like to put lots of NOPs there. */ #define MAXOPT 16 /* Max. reasonable DNS name length */ #define MY_MAXDNS 32 /* Query cache for -S option. This is only the default. Keep it sane - increase this if your system gets lots of traffic and you get RESP_NOMATCH too often. */ #define DEFAULT_QUERY_CACHE 128 /* Maximum timestamp difference (hours) between two masquerade signatures to be considered sane; should be reasonably high, as some systems might be running at higher timestamp change frequencies than usual. */ #define MAX_TIMEDIF 600 /* Packet dump - bytes per line; this is a sane setting. */ #define PKT_DLEN 16 /* Display no more than PKT_MAXPAY bytes of payload in -X mode. */ #define PKT_MAXPAY 45 /* Size limit for size wildcards - see p0fr.fp for more information. */ #define PACKET_BIG 100 /* Packet snap length. This is passed to libpcap, and should be never below 100 or such. Keep it reasonably low for performance reasons. */ #define PACKET_SNAPLEN 200 /* Query timeout on -Q socket. You must send data QUERY_TIMEOUT seconds after establishing a connection. Set this to zero to disable timeouts (not really recommended). */ #define QUERY_TIMEOUT 2 /* Uncomment this to give extra points for distance difference in masquerade detection. This is not recommended for Internet traffic, but a very good idea for looking at your local network. */ // #define DIST_EXTRASCORE /* Uncomment this to display additional information as discussed in p0f.fp. This functionality is a hack and will disregard options such as greppable output or no details mode, so do not leave it on unless, well, debugging. */ // #define DEBUG_EXTRAS /* If you encounter any problems with false positives because of a system with random or incremental IP ID picking a zero value once in a while (probability under 0.002%, but always), uncomment this to disregard the 'Z' check in quirks section. */ // #define IGNORE_ZEROID #define PID_PATH "/var/run/p0f.pid" #endif /* ! _HAVE_CONFIG_H */ p0f/doc/0040755000175100017500000000000010466616030011675 5ustar lcamtufusersp0f/doc/ChangeLog0100644000175100017500000001510410477514004013445 0ustar lcamtufusersVersion 2.0.8: ------------- More fingerprints, signature cleanup. p0fping.c and diagnostic queries added. Socket ownership fix when dropping privs. Some -O signatures. Version 2.0.7: -------------- Added -0 mode for port 0 wildcards in queries. Added -e option to make p0f work on some boxes. HDLC support added. New fingerprints, including Windows Vista betas. [BUG] Fixed timezone in logs after chroot(). [BUG] Unlikely command-line overflow with VLANs fixed. Version 2.0.6: -------------- [BUG] Fixed pcap naming madness. Support for Cygwin. More signatures. Plenty of -A sigs from Ryan Kruse. [BUG] Fix to a command-line parsing snafu with sprintf; shame on me ;-) Timestamps in masquerade detection. Write PID to /var/run/p0f.pid Verison 2.0.5: -------------- [BUG] OpenBSD compile fix. Support for 802.1Q. New signatures. Speel-chceked teh docuhmentation! Absolutely experimental support for open connection fingerprinting (-O). Synced manpage and documentation. Added several -O signatures. Verison 2.0.4: -------------- More signatures. Improved documentation, mentions of p0f_db, etc. [BUG] Fixed a minor problem with installation on systems w/o /usr/man/. [BUG] Fixed a DLT_NULL problem, added a new loopback signature. Multiple timestamp options, timestamps now read from pcap dumps. Sync with new Windows port code. [BUG] Fixed one-line reporting for masquerade detection. Version 2.0.3: -------------- Iproved -F. Masquerade detection code now checks for time going backwards in timestamps. Added uptime in query data and p0fq.c. Added -F fuzzy TTL matching option. More signatures. 2.0.3 and -M code ported to Windows, Windows port fixes, all thanks to Kirby Kuehl . [BUG] Fixed Windows compilation by ifdefing query_cache. [BUG] Missing ENDIAN define on SunOS? Added to Makefile. It now defaults to big endian, perhaps worth auto-detecting in case of Solaris on x86 or such. -r now also resolves the target host. Added -X option, sendsyn added. Better Makefile and p0f*.fp documentation. Automatic wildcard for WSS of 12345 and size exceeding PACKET_BIG. Documentation (links) updated. Sheesh, more cleanup in p0fr.fp explanations and p0f.c RST recognition code. test/sendack2.c added. Added wildcard for packet size; massive ACK probing to diagnose the payload quoting issue. Many new RST fingerprints for network devices. Updated some tos.h signatures. [BUG] Fixed Solaris makefile to include p0f-query.c Version 2.0.2: -------------- Cleanup of the RST mess in p0fr.fp and p0f.c parser. Added isprint() text preview for -x mode. [BUG] Fixed packet size reporting and matching for packets over 255 bytes (_u8 -> _u16). Extended RST+ACK to also cover plain RST, added some sane explanations of the purpose of each mode. Clarification of the RST vs RST+ACK occurences; test/sendack.c added. Added -R option for RST+ACK fingerprinting. Created an empty database. Moved databases from /etc to /etc/p0f/ Windows memory leak mystery solved. No longer using pcap timeouts for anything. They suck. I first wanted to use SIGALRM with no SA_RESTART, but it's broken on Linux on this particular syscall. Fortunately, I spotted an mis-documented pcap_fileno and can now use select(). I just hope it won't break. Note to self: despite of the documentation saying pcap_open_live with timeout 0 will simply never timeout (which is irrelevant for pcap_loop anyway), it does not work on FreeBSD, inhibiting all packet processing instead. Works fine on Linux. Go figure. Some minor p0fq fixes to prevent warnings. Added some SYN+ACK signatures from rfp (p0fa.fp). Hooray! p0fa.fp is now official. Moved from test/ to ., etc. README updated. [BUG] Fixed the default TTL for IRIX and Tru64 (60), added a note to p0f.fp, fixed TTL checker to also support %30 values. [BUG] Fixed query mode lookup. The old code didn't handle reverse lookups properly. Masquerade scoring data is now available via the query interface. P0fq utility updated to handle this. Dropped /bin/bash from p0frep, /bin/sh would suffice. Added a new -c option for -M and -Q cache size scaling, packet ratio information on Ctrl-C to help estimate the right parameter. Extra masquerade detection flags: -T for threshold, -V for detailed flag breakdown; masquerade reporting now recognizes -r. The new -w option writes all matching packets to a pcap file (regardless of -K and -U settings). Added -M option (unix only until p0f-query.c gets ported). This option enables advanced masquerade detection based on the cyclic buffer used by -Q. Added - signature flag to the config file. Some documentation for the new functionality. [BUG] Cleaned up the -K and -U semantics with -Q. Replaced some single-character printfs with putchars in signature reporting code (should be a tad faster). Added signature check reporting, generic signature count and some other minor tweaks. The new -x option provides a hexadecimal TCP/IP packet dump. Useful when comparing two colliding fingerprints to find some differences not covered by the current quirks set. PPPoE interface is now handled correctly on NetBSD. Added a shoddy manpage and updated makefiles. Removed E quirk and added E to the regular options; removed needless EOL append code from the parser. Breaks the old signature format in some rare cases, but the old quirk is still recognized, and the user will be advised to change it. [BUG] Fixed ? option parsing bug that prevented RISC OS signature from working (and would prevent all ? signatures from working, should there be any other ;-). New signatures and other database additions, of course. [BUG] Fixed a very minor parser bug that could cause it to loop over an unknown option with a declared length of zero. This is not a DoS condition, because the parser would quit the loop after parsing max. 16 options anyway. Version 2.0.1 (2003/09/03): --------------------------- Initial stable release after a complete rewrite; some of the changes are pointed out in README. [SECURITY] What was wrong with p0f v1 in terms of security? Other than its inefficient algorithms, there was a risk of a DoS attack while parsing badly malformed packets. The risk would be due to going past end of options, so there is no exploitable condition, but... the original pcap parser wasn't my work (a contributed code), and p0f v1 was not quite intended to be used in serious production systems. p0f/doc/COPYING0100644000175100017500000006331707171505006012736 0ustar lcamtufusers GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice p0f/doc/CREDITS0100644000175100017500000000523710472323666012730 0ustar lcamtufusers "You may kiss me of course, But you'll have to use force. Though god knows you're stronger than I am." And the credits go to: ====================== People who have contributed to the current form of this code (in order of appearance, of sorts): Michal Zalewski: initial code and some ideas, p0frep, fingerprints, etc Michael Davis: MSVC++ Windows port John Cartwright: testing, v2 Makefile for SunOS Mike Frantzen: discussions, T0 and Z quirk Jacon Winther: testing, feedback, MacOS X reports Lance Spitzner: useful feedback Rafal Wozniakowski: config reader bugfix Bert Kiers: NetBSD testing, suggestions Timo Sirainen: parser bug fix Sebastian Prause: pppoe on NetBSD fix Cristian Ionescu-Idbohrn: some interesting suggestions Michal Margula: masq threshold Dan Nelson: small p0frep fix rain forest puppy: many signatures Peter Gamache: p0fq fixes Paul Woo: signatures in bulk Michael Bauer: signatures in bulk Ryan Barnett: Solaris testing Kirby Kuehl: Windows port fixes and enhancements! Kevin Currie: p0f on the go. Adam Kaufman: FreeBSD build patch Troels Eklund Andersen: MacOS build fixes Radim Kolar: various minor fixes Safari: timestamp fixes and additions Aurelien Jacobs: perl version of p0f query tool Camilo Hernan Viecco: 802.11b fix Zaki Chakib: cygwin tips Gregory Steuck: sprintf fixes GoTaR: masquerade timestamp patch Ryan Kruse: boatloads of -A fingerprints Stas Bekman: p0f.pid support Mike Smith: -e option support Jarno Huuskonen: timezone in chroot() fix Adam Oschowski: harmless vlan bof fix Mariusz Kozlowski: diagnostic queries, p0fping.c and other contributions William Stearns did lots of work that made v1 successful. He does not have any direct contributions to v2 yet, but I hope this will change, until then, this is a honorary mention. We apologize all of you who should be listed here, but are not. If you feel this is the case, please let us know and we will fix this unintentional omission. A countless number of people contributed fingerprints via p0f-help website (ok, more precisely: thousands). Most of them did not provide their names, or requested not to be credited. For those who did, I simply couldn't keep up maintaining the list, and had a hard time deciding who should be credited and who shouldn't. Duplicates, the sheer amount of information provided, data reliability issues... I would still like to recognize people who have contributed a number of signatures, provided some rare fingerprints, or otherwise made a considerable contribution to the database. If you feel you should be listed here, please let me know. p0f/doc/INSTALL.Win320100644000175100017500000000340010074026130013610 0ustar lcamtufusersp0f-WIN32 - (C) 2000-2004 Michael A. Davis Port currently maintained by Kirby Kuehl . About p0f-WIN32 --------------- p0f-win32 has all the capabilities of the UNIX version of p0f with the exception of daemon mode and query answering mode. Installation: ------------- 1. Download and install WinPCAP from http://winpcap.polito.it/. NOTE: p0f-win32 has ONLY been test with WinPCAP Version 3.0. Previous versions of WinPCAP will not work. 2. Follow the WinPCAP instructions and install the WinPCAP driver. 3. Follow the p0f compilation instructions below or obtain a binary version from http://lcamtuf.coredump.cx/p0f/. 4. Execute p0f just like the Unix version. How to Compile p0f-win32: ------------------------- 1. You need the following libraries: winpcap Developer Pack (http://winpcap.polito.it/) and the Microsoft Platform SDK. 2. You shoould extract all three of these libraries into a common directory. Here is how the layout should look: \CommonDirectory \wpdpack \p0f 3. Load the p0f.dsw project from the WIN32-Prj directory into MS VC++ 6. NOTE: There is curently no support for MS VC.NET. 4. Verify that the Platform SDK has been added to your Directory search path. Go to Tools->Options->Directories. If the path where you installed the MS Platform SDK is not listed then add it to the "Include Files" search and "Library Files" search list. 5. Click Build then click Build p0f.exe. FAQ: ---- Q: What directory does p0f look for its configuration files in? A: Whatever the current working directory is when you execute p0f. Known Bugs: ----------- None. Please report any to Michael A. Davis p0f/doc/KNOWN_BUGS0100644000175100017500000000054110103137064013322 0ustar lcamtufusers "Why is the alphabet in that order? Is it because of that song?" Known unresolved issues with p0f v2: ------------------------------------ - Uptime is reported incorrectly for some systems that use more unusual timestamp frequencies. This will be addressed in the next release (this note is here for a couple of releases, though ;-). p0f/doc/README0100644000175100017500000013372110477513770012572 0ustar lcamtufusers --=-- p0f 2 --=-- "Dr. Jekyll had something to Hyde" passive OS fingerprinting tool version 2.0.8 (C) Copyright 2000 - 2006 by Michal Zalewski Various ports (C) Copyright 2003 - 2006 by: Michael A. Davis Kirby Kuehl Kevin Currie Portions contributed by numerous good people - see CREDITS file. http://lcamtuf.coredump.cx/p0f.shtml For a book on some interesting passive fingerprinting tips, see: http://lcamtuf.coredump.cx/silence ********************************************************************* **** HELP WITH P0F DATABASE: http://lcamtuf.coredump.cx/p0f-help **** ********************************************************************* ----------- 0. Contents ----------- This document describes the concept and history of p0f, its command-line options and extensions, and goes into some detail about its operation, integration with existing solutions, and so on. Table of contents: 1) What's this, anyway? 2) Why would I want to use it? 3) What's new then? 4) Command-line 5) Active service integration 6) SQL database integration 7) Masquerade detection 8) Fingerprinting accuracy and precision 9) Adding signatures 10) Security 11) Limitations 12) Is it better than other software? 13) Program no work! 14) Appendix A: Links to OS fingerprinting resources ----------------------- 1. What's this, anyway? ----------------------- The passive OS fingerprinting technique is based on analyzing the information sent by a remote host while performing usual communication tasks - such as whenever a remote party visits your webpage, connects to your MTA - or whenever you connect to a remote system while browsing the web or performing other routine tasks. In contrast to active fingerprinting (with tools such as NMAP or Queso), the process of passive fingerprinting does not generate any additional or unusual traffic, and thus cannot be detected. Captured packets contain enough information to identify the remote OS, thanks to subtle differences between TCP/IP stacks, and sometimes certain implementation flaws that, although harmless, make certain systems quite unique. Some additional metrics can be used to gather information about the configuration of a remote system or even its ISP and network setup. The name of the fingerprinting technique might be somewhat misleading - although the act of discovery is indeed passive, p0f can be used for active testing. It is just that you are not required to send any unusual or undesirable traffic, and can rely what you would be getting from the remote party anyway, in the course of everyday, seemingly innocuous chatter. To accomplish the job, p0f equips you with four different detection modes: - Incoming connection fingerprinting (SYN mode, default) - whenever you want to know what the guy or gal who connects to you runs, - Outgoing connection (remote party) fingerprinting (SYN+ACK mode) - to fingerprint systems you or your users connect to, - Outgoing connection refused (remote party) fingerprinting (RST+ mode) - to fingerprint systems that reject your traffic, - Established connection fingerprinting (stray ACK mode) - to examine existing sessions without any needless interference. It is quite difficult to pinpoint who came up with this idea of passive SYN-based OS fingerprinting, though due credit must be given to Craig Smith, Peter Grundl, Lance Spitzner, Shok, Johan, Su1d, Savage, Fyodor and other brave hackers who explored this and related topics in the years 1999 and 2000. P0f was the first (and I believe remains the best) fully-fledged implementation of a set of TCP-related passive fingerprinting techniques. The current version uses a number of detailed metrics, often invented specifically for p0f, and achieves a very high level of accuracy and detail; it is designed for hands-free operation over an extended period of time, and has a number of features to make it easy to integrate it with other solutions. Portions of this code are used in several IDS systems, some sniffer software; p0f is also shipped with several operating systems and incorporated into an interesting OpenBSD pf hack by Mike Frantzen, that allows you to filter out or redirect traffic based on the source OS. There is also a beta patch for Linux netfilter, courtesy of Evgeniy Polyakov. In short, p0f is a rather well-established software at this point. ------------------------------ 2. Why would I want to use it? ------------------------------ Oh, a number of uses come to mind: - Profiling / espionage - ran on a server, firewall, proxy or router, p0f can be used to silently gather statistical and profiling information about your visitors, users, or competitors. P0f also gathers netlink and distance information suitable for determining remote network topology, which may serve as a great piece of pre-attack intelligence. - Active response / policy enforcement - integrated with your server or firewall, p0f can be used to handle specific OSes in the most suitable manner and serve most appropriate content; you may also enforce a specific corporate OS policy, restrict SMTP connections to a set of systems, etc; with masquerade detection capabilities, p0f can be used to detect illegal network hook-ups and TOS violations. - PEN-TEST - in the SYN+ACK, RST+, or stray ACK mode, or when a returning connection can be triggered on a remote system (HTML-enabled mail with images, ftp data connection, mail bounce, identd connection, IRC DCC connection, etc), p0f is an invaluable tool for silent probing of a subject of such a test. Masquerade detection in SYN+ACK or RST+ modes can be also used to test for load balancers and so forth. - Network troubleshooting - RST+ mode can be used to debug network connectivity problems you or your visitors encounter. - Bypassing a firewall - p0f can "see thru" most NAT devices, packet firewalls, etc. In SYN+ACK mode, it can be used for fingerprinting over a connection allowed by the firewall, even if other types of packets are dropped; as such, p0f is the solution when NMAP and other active tools fail. - Amusement value is also pretty important. Want to know what this guy runs? Does he have a DSL, X.25 WAN hookup, or a shoddy SLIP connection? What's Google crawlbot's uptime? Of course, "a successful [software] tool is one that was used to do something undreamed of by its author" ;-) ------------------- 3. What's new then? ------------------- The original version of p0f was written somewhere in 2000 by Michal Zalewski (that be me), and later taken over William Stearns (circa 2001). The original author still contributed to the code from time to time, and the version you're holding right now is his sole fault - although I'd like William to take over further maintenance, if he's interested. Version 2 is a complete rewrite of the original v1 code. The main reason for this is to make signatures more flexible, and to implement certain additional checks for very subtle packet characteristics to improve fingerprint accuracy. Changes include: NEW CORE CHECKS: - Option layout and count check, - EOL presence and trailing option data [*], - Unrecognized option handling (TTCP, etc), - WSS to MSS/MTU correlation checks [*], - Zero timestamp check, - Non-zero ACK in initial SYN [*], - Non-zero "unused" TCP fields [*], - Non-zero urgent pointer in SYN [*], - Non-zero second timestamp [*], - Zero IP ID in initial packet, - Unusual auxiliary flags, - Data payload in control packets [*], - SEQ number equal to ACK number [*], - Zero SEQ number [*], - Non-empty IP options. [*] denotes metrics "invented" for p0f, as far as I am concerned. Other metrics were discussed by certain researchers before, although usually not implemented anywhere. A detailed discussion of all checks performed by p0f can be found in the introductory comments in p0f.fp, p0fa.fp and p0fr.fp. As a matter of fact, some of the metrics were so precise I managed to find several previously unknown TCP/IP stack bugs :-) See doc/win-memleak.txt and p0fr.fp for more information. ENGINE IMPROVEMENTS: - Major performance boost - no more runtime signature parsing, added BPF pre-filtering, signature hash lookups. All this to make p0f suitable for being run on high-throughput devices, - Advanced masquerade detection for policy enforcement (ISPs, corporate networks), - Modulo and wildcard operators for certain TCP/IP parameters to make it easier to come up with generic last chance signatures for systems that tweak settings notoriously (think Windows), - Auto-detection of DF-zeroing firewalls, - Auto-detection of MSS-tweaking NAT and router devices, - Media type detection based on MSS, with a database of common link types, - Origin network detection based on unusual ToS / precedence bits, - Ability to detect and skip ECN option when examining flags, - Better fingerprint file structure and contents - all fingerprints are rigorously reviewed before being added. - Generic last-chance signatures to cover general OS characteristics, - Query mode to enable easy integration with third party software - p0f caches recent fingerprints and answer queries for src-dst combinations on a local stream socket in a easy to parse form, - Usability features: greppable output option, daemon mode, host name resolution option, promiscuous mode switch, built-in signature collision detector, ToS reporting, full packet dumps, pcap dump output, etc, - Brand new SYN+ACK, RST+ and stray ACK fingerprinting modes for silent identifications of systems you connect to the usual way (web browser, MTA), or even systems you cannot connect to at all; now also with RST+ACK flag and value validator. - Fixed WSCALE handling in general, and WSS passing on little-endian, many other bug-fixes and improvements of the packet parser (including some sanity checks). - Fuzzy checks option when no precise matches are found (limited). - VLAN support. Sadly, this will break all compatibility with v1 signatures, but it's well worth it. --------------- 4. Command-line --------------- P0f is rather easy to use. There's a number of options, but you don't need to know most of them for normal operation: p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket [ -0 ] ] [ -w file ] [ -u user ] [ -c size ] [ -T nn ] [ -e nn ] [ -FNODVUKAXMqxtpdlRL ] [ 'filter rule' ] -f file - read fingerprints from file; by default, p0f reads signatures from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems only). You can use this to load custom fingerprint data. Specifying multiple -f values will NOT combine several signature files together. -i device - listen on this device; p0f defaults to whatever device libpcap considers to be the best (and which often isn't). On some newer systems you might be able to specify 'any' to listen on all devices, but don't rely on this. Specifying multiple -i values will NOT cause p0f to listen on several interfaces at once. -s file - read packets from tcpdump snapshot; this is an alternate mode of operation, in which p0f reads packet from pcap data capture file, instead of a live network. Useful for forensics (this will parse tcpdump -w output, for example). You can use Ethereal's text2pcap to convert human-readable packet traces to pcap files, if needed. -w file - writes matching packets to a tcpdump snapshot, in addition to fingerprinting; useful when it is advisable to save copies of the actual traffic for review. -o file - write to this logfile. This option is required for -d and implies -t. -Q socket - listen on a specified local stream socket (a filesystem object, for example /var/run/p0f-sock) for queries. One can later send a packet to this socket with p0f_query structure from p0f-query.h, and wait for p0f_response. This is a method of integrating p0f with active services (web server or web scripts, etc). P0f will still continue to report signatures the usual way - but you can use -qKU combination to suppress this. Also see -c notes. A sample query tool (p0fq) is provided in the test/ subdirectory. There is also a trivial perl implementation of a client available; finally, test/p0fping.c can be used to check the status of the socket prior to queries. NOTE: The socket will be created with permissions corresponding to your current umask. If you want to restrict access to this interface, use caution. This option is currently Unix-only. -0 (In conjunction with -Q) Treat source port 0 in queries as a wildcard. This is useful when p0f query is constructed from within a plugin to a program that does not provide source port information (this holds true for some mail filters, etc). Note that some ambiguity is introduced: the response might not refer to the exact connection the plugin is handling, which may (seldom) cause misidentification of NATed hosts. -e ms - packet capture window. On some systems (particularly on older Suns), the default pcap capture window of 1 ms is insufficient, and p0f may get no packets. In such a case, adjust this parameter to the smallest value that results in reliable operation (note that this might introduce some latency to p0f). -c size - cache size for -Q and -M options. The default is 128, which is sane for a system under a moderate network load. Setting it too high will slow down p0f and may result in some -M false positives for dial-up nodes, dual-boot systems, etc. Setting it too low will result in cache misses for -Q option. To choose the right value, use the number of connections on average per the interval of time you want to cache, then pass it to p0f with -c. P0f, when run without -q, also reports average packet ratio on exit. You can use this to determine the optimal -c setting. This option has no effect if you do not use -Q nor -M. -u user - this option forces p0f to chroot to this user's home directory after reading configuration data and binding to sockets, then to switch to his UID, GID and supplementary groups. This is a security feature for the paranoid - when running p0f in daemon mode, you might want to create a new unprivileged user with an empty home directory, and limit the exposure when p0f is compromised. That said, should such a compromise occur, the attacker will still have a socket he can use for sniffing some network traffic (better than rm -rf /). This option is Unix-only. -N - inhibit guesswork; do not report distances and link media. With this option, p0f logs only source IP and OS data. -F - deploy fuzzy matching algorithm if no precise matches are found (currently applies to TTL only). This option is not recommended for RST+ mode. -D - do not report OS details (just genre). This option is useful if you don't want p0f to elaborate on OS versions and such (combine with -N). -U - do not display unknown signatures. Use this option if you want to keep your log file clean and are not interested in hosts that are not recognized. -K - do not display known signatures. This option is useful when you run p0f recreationally and want to spot UFOs, or in -Q or -M modes when combined with -U to inhibit all output. -q - be quiet - do not display banners and keep low profile. -p - switch card to promiscuous mode; by default, p0f listens only to packets addressed or routed thru the machine it runs on. This setting might decrease performance, depending on your network design and load. On switched networks, this usually has little or no effect. Note that promiscuous mode on IP-enabled interfaces can be detected remotely, and is sometimes not welcome by network administrators. -t - add human-readable timestamps to every entry (use multiple times to change date format, a la tcpdump). -d - go into daemon mode (detach from current terminal and fork into background). Requires -o. -l - outputs data in line-per-record style (easier to grep). -A - a semi-supported option for SYN+ACK mode. This option will cause p0f to fingerprint systems you connect to, as opposed to systems that connect to you (default). With this option, p0f will look for p0fa.fp file instead of the usual p0f.fp. The usual config is NOT SUITABLE for this mode. The SYN+ACK signature database is sort of small at the moment, but suitable for many uses. Feel free to contribute. -R - a barely-supported option for RST+ mode. This option will prompt p0f to fingerprint several different types of traffic, most importantly "connection refused" and "timeout" messages. This mode is similar to SYN+ACK (-A), except that the program will now look for p0fr.fp. The usual config is NOT SUITABLE for this mode. You may have to familiarize yourself with p0fr.fp before using it. -O - absolutely experimental open connection (stray ACK) fingerprinting mode. In this mode, p0f will attempt to indiscriminately identify OS on all packets within an already established connection. The only use of this mode is to perform an immediate fingerprinting of an existing session. Because of the sheer amount of output, you are advised against running p0f in this mode for extended periods of time. The program will use p0fo.fp file to read fingerprints. The usual config is NOT SUITABLE for this mode. Do not use unless you know what you are doing. NOTE: The p0fo.fp database is very sparsely populated at the moment. -r - resolve host names; this mode is MUCH slower and poses some security risk. Do not use except for interactive runs or low traffic situations. NOTE: the option ONLY resolves IP address into a name, and does not perform any checks for matching reverse DNS. Hence, the name may be spoofed - do not rely on it without checking twice. -C - perform collision check on signatures prior to running. This is an essential option whenever you add new signatures to .fp files, but is not necessary otherwise. -L - list all network interfaces. This option is Windows-only. -x - dump full packet contents; this option is not compatible with -l and is intended for debugging and packet comparison only. -X - display packet payload; rarely, control packets we examine may carry a payload. This is a bug for the default (SYN) and -A (SYN+ACK) modes, but is (sometimes) acceptable in -R (RST+) mode. -M - deploy masquerade detection algorithm. The algorithm looks over recent (cached) hits and looks for indications of multiple systems being behind a single gateway. This is useful on routers and such to detect policy violations. Note that this mode is somewhat slower due to caching and lookups. Use with caution (or do not use at all) in modes other than default (SYN). -T nn - masquerade detection threshold; only meaningful with -M, sets the threshold for masquerade reporting. -V - use verbose masquerade detection reporting. This option describes the status of all indicators, not only an overall value. -v - enable support for 802.1Q VLAN tagged frames. Available on some interfaces, on other, will result in BPF error. The last part, 'filter rule', is a bpf-style filter expression for incoming packets. It is very useful for excluding or including certain networks, hosts, or specific packets, in the logfile. See man tcpdump for more information, few examples: 'src port ftp-data' 'not dst net 10.0.0.0 mask 255.0.0.0' 'dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )' The baseline rule is to select only TCP packets with SYN set, no RST, no ACK, no FIN (SYN, ACK, no RST, no FIN for -A mode; RST, no FIN, no SYN for -R mode; ACK, no SYN, no RST, no FIN for stray ACK mode). You cannot make the rule any broader (without cheating ;), the optional filter expression can only narrow it down. You can also use a companion log report utility for p0f. Simply run 'p0frep' for help. ----------------------------- 5. Active service integration ----------------------------- In some cases, you want to feed the p0f output to a specific application to take certain active measures based on the operating system (handle specific visitors differently, block some unwanted OSes, optimize the content served). As mentioned earlier, OpenBSD users can simply use the pf OS fingerprinting implementation, a cool functionality coded by Mike Frantzen and based on p0f methodology and signature database. This software allows them to redirect or block OSes any way they want. Linux netfilter users can also check out patches by Evgeniy Polyakov to get roughly the same stuff. In other setups, or if you do not feel like fiddling with the kernel, you want to use the -Q option, and then query p0f by connecting to a specific local stream socket and sending a single packet with p0f_query struct (p0f-query.h), and receiving p0f_response. P0f, when running in -Q mode, will cache a number of last OS matches, and when queried for a specified host and port combination, will return what it detected. Check test/p0fq.c for a clean example. The query structure (p0f_query) has the following fields (all values, addresses and port numbers are in machine's native endian): magic - must be set to QUERY_MAGIC, id - query ID, copied literally to the response, type - query type (must be QTYPE_FINGERPRINT) src_ad - source address, dst_ad - destination address, src_port - source port, dst_port - destination port. The response (p0f_response) is as follows: magic - must be set to QUERY_MAGIC, id - copied from the query, type - RESP_OK, RESP_BADQUERY (error), RESP_NOMATCH (cache miss), genre[20] - OS genre, zero length if no match, detail[40] - OS version, zero length if no match, dist - distance, -1 if unknown, link[30] - link type description, zero length if unknown, tos[30] - ToS information, zero length if unknown, fw,nat - firewall and NAT flags, if spotted, real - "real" OS versus userland stack, score - masquerade score (or NO_SCORE), see next section, mflags - exact masquerade flags (D_*), see next section. There's also a special type of queries, where type = QTYPE_STATUS, and subsequent fields are irrelevant (should be zero); this returns a different structure: magic - must be set to QUERY_MAGIC, id - copied from the query type - must be set to RESP_STATUS (or RESP_BADQUERY on error) version[16] - p0f version mode - p0f mode (ASCII character, same as in command-line options) fp_cksum - checksum of the fingerprint file for versioning purposes cache - cache size packets - total number of packets analyzed matched - total number of OSes recognized queries - total number of queries handled cmisses - cache misses (for cache size debugging) uptime - process uptime in seconds The connection is one-shot. Always send the query and recv the response immediately after connect - p0f handles the connection in a single thread, and you are blocking other applications (until timeout, that is, the timeout is defined as two seconds in config.h). As of today, there is no way to integrate p0f with other programs as a packet-parsing library. It would be trivial to implement this, but there are no volunteers at the moment :-) --------------------------- 6. SQL database integration --------------------------- At the very moment, p0f does not feature built-in database connectivity, although I am looking for a willing contributor to take care of it. In the meantime, however, you may use p0f_db utility authored by Nerijus Krukauskas: http://nk.puslapiai.lt/projects/p0f_db/ Jonas Eckerman has some tools to make it easier to move p0f output from one system to another, and then to run basic visualization: http://whatever.frukt.org/p0f-stats.shtml ----------------------- 7. Masquerade detection ----------------------- Masquerade detection (-M) works by looking at the following factors for all known signatures that belong to real operating systems (and not userland tools such as scanners): - Differences in OS fingerprints for the same IP: -3 if the same OS +4 if different signature for the same OS genre +6 if different OS genres - NAT and firewall flags set: +4 if NAT flags differ for the same signature +4 if fw flags differ for the same signature +1 per each NAT and fw flag if signatures differ (max. 4) - Link type differences: +4 if media type differs - Distance differences: +1 if host distance differs - Timestamp scoring, if timestamps available: -1 if timestamp delta within MAX_TIMEDIF (config.h) +1 if timestamp delta past MAX_TIMEDIF +2 if timestamp delta negative (!) - Time from the previous occurrence: /2 if more than half the cache size to the previous occurrence The final score is reported as score * 200 / 25 (25 being the highest score possible) and reported as a percentage. The higher the value, the more likely the result is accurate. Since the situation when all indicators are up is rather unrealistic, the multiplier is 200, not 100, and you can get over 100% match ;-) Everything above 0% should be looked at, over 20% is usually a sure bet. You can configure the reporting of matches by setting the threshold to a value different than zero with -T switch. -T 10 might be a good idea. If you're looking at a local network, you can define DIST_EXTRASCORE to score distance differences much higher - it is unlikely for a local LAN to shrink or grow, but it's not uncommon for routing over the Internet to change. If you are unhappy with the scoring algorithm and do not want to modify the sources, you can use -V option to report the status of every masquerade indicator. In conjunction with -l, -V can be used to grep for the precise set of signatures you're interested in. Every hit is prefixed with ">> ". Combine -M, -K and -U to report masquerade hits only (but it is recommended to still dump packets with -w to be able to examine the evidence later on). A good example: p0f -M -K -U -w evidence.bin -c 500 -l -V 'not src host my_ip' A quick demo: 192.165.38.73:20908 - OpenBSD 3.0-3.4 (up: 836 hrs) -> 217.8.32.51:80 (distance 6, link: GPRS or FreeS/WAN) 192.165.38.73:21154 - Linux 2.4/2.6 (NAT!) (up: 173 hrs) -> 217.8.32.51:80 (distance 6, link: GPRS or FreeS/WAN) 192.165.38.73:22003 - Windows XP Pro SP1, 2000 SP3 (NAT!) -> 217.8.32.51:80 (distance 6, link: GPRS or FreeS/WAN) >> Masquerade at 192.165.38.73: indicators at 69%. That was quite evident. 194.68.64.2:49030 - Windows 2000 SP2+, XP SP1 -> 217.8.32.51:80 (distance 10, link: ethernet/modem) 194.68.64.2:52942 - Windows 2000 SP4, XP SP1, patched 98 -> 217.8.32.51:80 (distance 12, link: ethernet/modem) >> Masquerade at 194.68.64.2: indicators at 43%. The host has a name of gateway.vlt.se, so once again, a good hit. Verbose output looks like this: >> Masquerade at 216.88.158.142/crawlers.looksmart.com: indicators at 26%. Flags: OS -far In this case, we have two different OSes (OS), but the time between two occurrences is long enough to lower the score (-far). All -V flags are: OS - different OS genres VER - different OS versions LINK - link type difference DIST - distance differences xNAT - NAT flags differ (same OS match) xFW - FW flags differ (same OS match) NAT1, NAT2 - NAT flags set (different OSes) FW1, FW2 - FW flags set (different OSes) FAST - timestamp delta too high TNEG - timestamp delta negative -time - timestamp delta within the norm -far - distant occurrences Because the score is cumulative, it is possible to have mutually exclusive flags set (e.g xNAT and NAT1) whenever more than two signatures were taken into account when calculating the score. Masquerade status and flags can be also retrieved via the query interface, as noted in the section above. The functionality depends on keeping the fingerprint database clean and prefixing non-OS fingerprints (nmap, other scanner tools, application-induced TCP/IP stack behavior) with - prefix. Those fingerprints, as well as all the UNKNOWNs, are not used for masquerade detection. Note that a single host can be reported many times. The system reports immediately, but later on, the host might score higher once new data arrives, and p0f will post a "correction" with a new, higher ranking. Use the highest result for a specific host, but also observe the consistency of subsequent results. The solution uses a cyclic buffer also used in -Q mode (and affected by -c parameter). You should set the value to cache not more than an hour of traffic (and no less than a minute). Calculate the number of connections on average per the interval of time you wish to cache, then pass the value to p0f with -c. Setting -c too high will result in false positives for dial-up nodes or multiboot systems (of course, you sometimes want to detect the latter, too). Setting it too low may miss some cases. The code detects NAT devices that do not rewrite packets (almost all packet firewalls). Ones that do rewrite packets (proxy firewalls) can, on the other hand, be detected by their own signatures. Masquerade detection will fail if all systems masqueraded have an identical configuration and network setup, uptimes and network usage (which is very unlikely, even in a homogeneous environment). A prerequisite for detection is that the systems are used at (roughly) the same time, within the cache time frame. NOTE: The detector is most reliable and sensitive in the default (SYN) mode, and scores are adjusted to work well there; in other fingerprinting modes, your mileage may vary. You can try to combine -M with -A (masquerade detection on systems you connect to), which is only really useful for detecting load balancers and other setups that map a single address to several servers; or with -R, which can be used both for detecting load balancers (RST) and normal incoming masquerade detection (RST+ACK), although it's naturally less reliable and sensitive. Using -M with -O is weird, but regrettably not prosecuted. ---------------------------------------- 8. Fingerprinting accuracy and precision ---------------------------------------- Version 2 uses some more interesting TCP/IP packet metrics, and should be inherently more accurate and precise. We also try to use common sense when adding and importing signatures, which should be a great reliability boost. More obscure modes, such as RST+ or stray ACK, may and will be inherently less accurate or reliable - see section 10 for more details - but are still far more sane than p0f v1. Link type identification is not particularly reliable, as some users tend to mess with their default MTUs for better (or worse ;-) performance. For most systems, it will be accurate, but if you see an unlikely value reported, just deal with it. Uptime detection is also of an amusement value. Some newly released systems tend to multiply timestamp data by 10 or have other clocking algorithms. The current version of p0f does not support those differences over the entire database. I will try to fix it, until then, those boxes would have an artificially high uptime. NAT detection is merely an indication of MSS being tweaked at some point. Most likely, the reason for this is indeed a NATing router, but there are some other explanations. Linux, for example, tends to mix up MTUs from different interfaces in certain scenarios (when, I'm not sure, but it's common and is probably a bug), and if you see a Linux box tagged as "NAT", it does not have to be NATed - it might simply have two network interfaces. P0f can still be a useful NAT detection tool (you can examine changing distances and OS matches for a specific host, too), simply don't rely on this flag alone. If you see link type identified as unknown-XXXX, try to Google for "mtu XXXX". If you find something reasonable, you might want update mtu.h and recompile p0f, and submit this information to me. Keep in mind some MTU settings are just arbitrary and do not have to mean a thing. P0f also tries to recognize some less popular combinations of precedence bits, type of service and so-called "must be zero" bit in TCP headers to detect certain origin ISPs. Many DSL and cable operators, particularly in Europe, tend to configure their routers in fairly unique ways in this regard. This, again, is purely of an amusement value. See tos.h for more information. P0f will never be as precise as NMAP, simply because it has to rely on what the host sends by itself, and can't check how it responds to "invalid" or tweaked packets. On the other hand, in the times of omnipresent personal and not quite personal firewalls and such, p0f can often help where NMAP is confused. Just like with any fingerprinting utility, active or passive, it is possible to change TCP/IP stack settings to either avoid identification, or appear as some other system - although some of the changes might require kernel-space hacking. There are no publicly available anti-p0f tools yet, although I expect them to appear at some point. -------------------- 9. Adding signatures -------------------- To avoid decreasing reliability of the database, you MUST read the information provided at the beginning of p0f.fp carefully before touching it in any way! If you are fiddling with p0fa.fp, p0fr.fp or p0fo.fp, read all comments in those files IN ADDITION to the contents of p0f.fp. Those files provide a good technical primer, and document the format and subtleties of all the fingerprints. If you stumble upon a new signature, do consider submitting it to lcamtuf@coredump.cx, wstearns@pobox.com, or connecting from the system to http://lcamtuf.coredump.cx/p0f-help/. We will be happy to incorporate this signature in the official release, and can help you make your signature more accurate. The least popular the system is, the more valuable the signature; we have the mainstream covered quite well. Be sure to run p0f -C after making any additions. This will run a collision checker and warn about shadowed or possibly incorrect signatures. This happens more often than you'd think. The same applies to p0fa.fp, p0fr.fp and p0fo.fp files. You need to run p0f -A -C, p0f -R -C or p0f -O -C to verify their contents. Rest assured, you will sooner or later find something really surprising. You can look at tmp/ to see a current list of mysteries I've stumbled upon. The museum at http://lcamtuf.coredump.cx/mobp/ lists some other funky cases. By all means, I'd like to hear about other UFO sightings! ------------ 10. Security ------------ Running p0f as a daemon should pose a fairly low risk, compared to tcpdump or other elaborate packet parsers (Ettercap, Ethereal, etc). P0f does not attempt anything stupid, such as parsing tricky high-level protocols. There is a slight risk I screwed up something with the option parser or such, but this code should be very easy to audit. If you do not feel too comfortable, you can always use the -u option, which should mitigate the risk. General security precautions for operating p0f: - Do not make p0f setuid, setgid or otherwise privileged when the caller isn't. Running it via sudo for users you do not trust entirely is also a so-so idea. - Do not use -r option unless absolutely necessary, and only for short and supervised runs. The option introduces a bloated, potentially flawed libc DNS handling code, and has a DoS potential. - When running in -Q mode, you need to make sure, either by setting umask or calling chmod/chown after launching p0f, to set correct permissions on the query socket - that is, unless you don't see a problem with your users querying p0f, which isn't a great threat to the humanity. - Do not use world-writable directories for keeping the socket. Do not use world-writable directories for output files or configuration. Come to think about it, don't use world-writable directories for any purpose. - Don't panic. --------------- 11. Limitations --------------- There are several generic and some specific limitations as to what passive fingerprinting and p0f can achieve. Proxy firewalls and other high-level proxy devices are not transparent to any TCP-level fingerprinting software. The device itself will be fingerprinted, not actual source hosts. There is some software that lets you perform application fingerprinting, this isn't it. Some packet firewalls configured to normalize outgoing traffic (OpenBSD pf with "scrub" enabled, for example) will, well, normalize packets. Those signatures will not correspond to the originating system, and probably not quite to the firewall either. Checkpoint firewall, in a fairly lame attempt to defeat OS fingerprinting, tweaks IP ID and TTL on outgoing packets; if you want to work around this problem, run p0f with -F option. In default mode, in order to obtain the information required for fingerprinting, you have to receive at least one SYN packet initiating a TCP connection to your machine or network. Note: you don't have to respond to this particular SYN, and it's perfectly fine to respond with RST. For SYN+ACK fingerprinting, you must be able to connect to at least one open port on the target machine to actually get SYN+ACK packet. You do not need any other ports, or the ability to send awkward, multiple or otherwise suspicious packets to the remote host (unlike with NMAP). Also note that SYN+ACK fingerprints are somewhat affected by the initial SYN on some systems. If you cannot establish a connection, but the remote party at least sends you RST+ACK back ("Connection refused"), you can use RST+ mode of p0f (-R option), but be aware this mode is inherently less accurate and reliable, mostly because systems usually don't bother with putting any options in those packets, and they all look very similar. SYN+ACK fingerprinting is considered (by me) to be less accurate and sometimes dependent on the system that initiates the connection. Same goes for (again, experimental!) stray ACK fingerprinting. RST+ fingerprinting mode, on the other hand, is fairly reliable, but far less precise. This is why I put stress on developing the SYN fingerprinting capability - but SYN+ACK, RST+ and stray ACK database contributions and tricks are of course very welcome. Fingerprinting on a fully established (existing) TCP connection is now supported by p0f (since version 2.0.5), but the database contains very few entries, and the accuracy and applicability of this mode is not yet well established. Be prepared for this mode to produce excessive amounts of logs. What I'll be trying to do is to integrate a number of fingerprinting techniques, currently completely separate (SYN, SYN+ACK, ACK, FIN, RST, retransmission timing, etc) into a single solution for very high accuracy. But this is perhaps p0f 3.0. ------------------------------------- 12. Is it better than other software? ------------------------------------- Depends on what you need. As I said before, p0f is fast, lightweight, low-profile. It can be integrated with other services. It has a clean and simple code, runs as a single thread and uses very little CPU power, works on a number of systems (Linux, BSD, Solaris and probably others), has a pretty detailed and accurate fingerprint database. Quite frankly, I doubt there is a program that offers better overall functionality or accuracy when it comes to passive fingerprinting, but I would not be surprised to be proved wrong one day. In other words, feel free to explore alternatives. Of the ones I know... is it better than Siphon? Yes. Ettercap? Yes, version 2 is better than v1-derived fingerprinting in Ettercap. Besides, it's simply different, and intended for a different range of applications. Version 1 of p0f did implement many novel fingerprinting metrics that were later incorporated in other software, but so did version 2 - and others are yet to catch up. As to other "current" utilities, you can use masqdet by Wojtek Kaniewski as an alternative to p0f -M mode. On the web, you can also stumble upon "n0t" and "natdet" utilities authored by a guy going by the nickname r3b00t, but these are just dumbed-down and inherently less reliable rip-offs closely inspired on p0f code. Your mileage may vary, but I recommend you to avoid them: they won't work any better. -------------------- 13. Program no work! -------------------- Whoops. We apologize. P0f requires the following to compile and run fine: - libpcap 0.4 or newer - GNU C Compiler 2.7.x or newer - GNU make 3.7x or newer, or BSD make - GNU bash / awk / grep / sed / textutils (for p0frep only) For the Windows port requirements and instructions, please read INSTALL.Win32 file. Not every platform is supported by p0f, and compilation problems do happen. Please let us know if you have any problems (or, better yet, managed to find a solution). If you find a system that is either not recognized, or is fingerprinted incorrectly, please do not downplay this and let us know. Platforms known to be working fine (regression tests not done on a regular basis, though): - NetBSD - FreeBSD - OpenBSD - MacOS X - Linux (2.0 and up) - Solaris (2.6 and up) - Windows (see INSTALL.Win32) - AIX (you need precompiled BULL libpcap) If p0f compiles and runs, but displays "unknown datalink" or "bad header_len" warnings, it is likely that your network interface type is not (yet) recognized. Let us know, it is easy to fix that once and for all users. ---------------------------------------- 14. Links to OS fingerprinting resources ---------------------------------------- Recommended RFC reading: http://www.faqs.org/rfcs/rfc793.html - TCP/IP specification http://www.faqs.org/rfcs/rfc1122.html - TCP/IP tutorial http://www.faqs.org/rfcs/rfc1323.html - performance extensions http://www.faqs.org/rfcs/rfc1644.html - T/TCP extensions http://www.faqs.org/rfcs/rfc2018.html - TCP/IP selective ACK Practical information: Active ICMP fingerprinting: http://www.sys-security.com/html/papers.html Passive OS fingerprinting basics: http://project.honeynet.org/papers/finger/ http://www.linuxjournal.com/article.php?sid=4750 THC Amap, application fingerprinting: http://www.thc.org/releases.php Hmap, web server fingerprinting: http://wwwcsif.cs.ucdavis.edu/~leed/hmap/ Fyodor's NMAP, the active fingerprinter: http://www.nmap.org User-Agent information: http://www.siteware.ch/webresources/useragents/db.html Ident fingerprinting: http://www.team-teso.net/data/ldistfp-auth-fingerprints Other free tools known to have passive OS fingerprinting: P0f-based: http://ettercap.sourceforge.net/ - Ettercap (p0f v1) http://prelude-ids.org - Prelude IDS (p0f v1) http://www.w4g.org/fingerprinting.html - OpenBSD pf (p0f v2.0.1) http://cvs.netfilter.org/~checkout~/netfilter/patch-o-matic//base/osf.patch - Linux netfilter (p0f v2.0) http://www-nrg.ee.lbl.gov/bro.html - Vern Paxson's / Holger Dreger's NIDS (p0f v2.0) http://r3b00t.itsec.pl/ - n0t and natdet (ripped off, AFAICT) Independent codebase: http://www.raisdorf.net/projects/pfprintd - pfprintd http://siphon.datanerds.net - Siphon (very out of date) http://members.fortunecity.com/sektorsecurity/projects/archaeopteryx.html (Siphon w/GUI) http://toxygen.net/misc/ - masqdet (NAT detection only) p0f/doc/TODO0100644000175100017500000000124410404107115012352 0ustar lcamtufusers ================================================================ You can help - please visit http://lcamtuf.coredump.cx/p0f-help/ ================================================================ Paradise is exactly like where you are right now... only much, much better. - Check TCP and IP checksums, would you? - Allow listening on multiple interfaces. - Solve tmp/ mysteries, - Some more SYN+ACK and RST+ signatures, - Add timestamp multipliers. - Add "skip dupes" option (cache is already there); until then, pipe p0f through uniq if you must. - Towards cummulative fingerprinting: SYN, SYN+ACK, RST+, FIN+, retransmit timing. p0f/doc/win-memleak.txt0100644000175100017500000001173107735261672014661 0ustar lcamtufusers Topic: Windows setting URG value on certain SYN and RST packets Status: SOLVED This is a description of a mysterious Windows URG problem I've noticed a while ago, while working on p0f. It turned out to be memory leak, and Microsoft have acknowledged the problem. ---- FIRST MAIL ---- Date: Tue, 2 Sep 2003 14:09:08 +0200 (CEST) From: Michal Zalewski To: vuln-dev@securityfocus.com Cc: vulndiscuss@vulnwatch.org Subject: certain versions of Windows XP leaking memory in TCP packets? Hello list, While writing the new version of my passive oS fingerprinting tool, p0f (no, this time, it's not a shameless plug), I was trying to come up with a number of new metrics that can be used for this purpose. One of the ideas was to look for glitches such as non-zero values in sections of the packet that are irrelevant and should be zeroed, in particular the ACK value in SYN packets with no ACK flag set, and URG pointer in SYN packets with no URG flag set. This and several other "quirk checks" turned out to be quite useful. I kept running p0f on one of the servers, and found out there is a sizable (but minority) population of what looks like Windows XP systems that appear to be setting URG pointer in SYN packets with no URG flag to values that seemed to be random (whereas other devices that had this "feature", were using a fixed value, such as 0xcccc), but sometimes repeated in two subsequent connections from the same source. Quite unfortunately, none of those machines ever visited my signature submission page at http://lcamtuf.coredump.cx/p0f-help/, so I do not have any detailed configuration information and couldn't perform more detailed checks, so I'm just posting it here for your consideration and eventual testing. Here's a sample (observe URG value): A:3827 - Windows XP (2) (PLEASE REPORT!) [GENERIC] Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?] -> server:80 (distance 9, link: ethernet/modem) -- EXTRA TCP VALUES: ACK=0x0, UNUSED=0, URG=0x819e A:3829 - Windows XP (2) (PLEASE REPORT!) [GENERIC] Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?] -> server:80 (distance 9, link: ethernet/modem) -- EXTRA TCP VALUES: ACK=0x0, UNUSED=0, URG=0xdc19 A:3830 - Windows XP (2) (PLEASE REPORT!) [GENERIC] Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?] -> server:80 (distance 9, link: ethernet/modem) -- EXTRA TCP VALUES: ACK=0x0, UNUSED=0, URG=0x8158 A:3833 - Windows XP (2) (PLEASE REPORT!) [GENERIC] Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?] Signature: [16384:119:1:48:M1460,N,N,S:U:Windows:?] -> server:80 (distance 9, link: ethernet/modem) -- EXTRA TCP VALUES: ACK=0x0, UNUSED=0, URG=0x8158 Now, my immediate quess would be that this Windows box is leaking the contents of some previously sent packets by not zeroing the buffer used to construct a new packet completely. It's less likely, but not impossible, that this URG value is set by some network device or is not related to the previous packet. Any ideas? Or perhaps you have any XP boxes to point to http://lcamtuf.coredump.cx/p0f-help or https://coredump.cx:443/~lcamtuf/p0f-help/ to submit configuration details and help me find out which systems are affected and why? Thanks, -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-09-02 13:26 -- ---- SECOND MAIL ---- Date: Wed, 17 Sep 2003 11:17:16 +0200 (CEST) From: Michal Zalewski To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Cc: full-disclosure@netsys.com Subject: Windows URG mystery solved! I finally have more details about the Windows URG pointer memory leak, first reported here: http://www.securityfocus.com/archive/82/335845/2003-08-31/2003-09-06/0 It is a vulnerability. After a long and daunting hunt, I have determined that pretty much all up-to-date Windows 2000 and XP systems are vulnerable to the problem, and that it is not caused by any network devices en route or such, but the issue is present only in certain conditions. I have initially reported I see a minority population of systems exhibiting this pattern. It turns out the majority of population is vulnerable, simply not exhibiting this behavior all the time. It is exhibited whenever a data transfer is occuring at the time the initial SYN is sent. The URG value would often contain a random piece of a packet (frequently data) belonging to the other connection. This happens during regular browsing, and will also be triggered by background downloads, etc. I do not want to exaggerate the impact of this vulnerability, the amount of data disclosed is fairly low, but it's still quite cool. Cheers, -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-09-17 10:44 -- p0f/fpentry.h0100644000175100017500000000323010404100330012742 0ustar lcamtufusers/* p0f - fingerprint entry ----------------------- No servicable parts inside. Copyright (C) 2003-2006 by Michal Zalewski */ #ifndef _HAVE_FPENTRY_H #define _HAVE_FPENTRY_H #include "types.h" #include "config.h" #define MOD_NONE 0 #define MOD_CONST 1 #define MOD_MSS 2 #define MOD_MTU 3 #define QUIRK_PAST 0x00000001 /* P */ #define QUIRK_ZEROID 0x00000002 /* Z */ #define QUIRK_IPOPT 0x00000004 /* I */ #define QUIRK_URG 0x00000008 /* U */ #define QUIRK_X2 0x00000010 /* X */ #define QUIRK_ACK 0x00000020 /* A */ #define QUIRK_T2 0x00000040 /* T */ #define QUIRK_FLAGS 0x00000080 /* F */ #define QUIRK_DATA 0x00000100 /* D */ #define QUIRK_BROKEN 0x00000200 /* ! */ #define QUIRK_RSTACK 0x00000400 /* K */ #define QUIRK_SEQEQ 0x00000800 /* Q */ #define QUIRK_SEQ0 0x00001000 /* 0 */ struct fp_entry { _u8* os; /* OS genre */ _u8* desc; /* OS description */ _u8 no_detail; /* Disable guesstimates */ _u8 generic; /* Generic hit */ _u8 userland; /* Userland stack */ _u16 wsize; /* window size */ _u8 wsize_mod; /* MOD_* for wsize */ _u8 ttl,df; /* TTL and don't fragment bit */ _u8 zero_stamp; /* timestamp option but zero value? */ _u16 size; /* packet size */ _u8 optcnt; /* option count */ _u8 opt[MAXOPT]; /* TCPOPT_* */ _u16 wsc,mss; /* value for WSCALE and MSS options */ _u8 wsc_mod,mss_mod; /* modulo for WSCALE and MSS (NONE or CONST) */ _u32 quirks; /* packet quirks and bugs */ _u32 line; /* config file line */ struct fp_entry* next; }; #ifdef IGNORE_ZEROID # undef QUIRK_ZEROID # define QUIRK_ZEROID 0 #endif /* IGNORE_ZEROID */ #endif /* ! _HAVE_FPENTRY_H */ p0f/Makefile0100644000175100017500000000047110472323640012566 0ustar lcamtufusers# # p0f - dummy makefile # -------------------- # # Just for convenience. # # (C) Copyright 2000-2006 by Michal Zalewski # all: ./Build $@ static: ./Build $@ clean: ./Build $@ publish: ./Build $@ p0fq: ./Build $@ p0fping: ./Build $@ tools: ./Build $@ install: ./Build $@ p0f/mk/0040755000175100017500000000000010472323602011534 5ustar lcamtufusersp0f/mk/AIX0100644000175100017500000000252710472324335012107 0ustar lcamtufusers# # p0f - AIX Makefile # ------------------ # # You need precompiled BULL libpcap for this. # # (C) Copyright 2000-2006 by Michal Zalewski # CC = gcc LIBS = -L/usr/local/include -DUSE_BPF=\"${USE_BPF}\" CFLAGS = -O3 -Wall -lpcap -I/usr/include/pcap -I/usr/local/include/pcap \ -I/usr/local/include FILE = p0f TOOLS = test/sendack test/sendack2 test/sendsyn all: $(FILE) @echo ">> You can also try 'make p0fq' to compile a sample query" @echo ">> client (see README for more information)." static: $(FILE)-static $(FILE): $(FILE).c @echo "WARNING: You need precompiled standard libpcap libraries (from BULL" @echo "or such) to compile p0f on AIX. Bundled IBM-modified libraries will" @echo "not work properly." $(CC) $(CFLAGS) -o $@ $(FILE).c $(FILE)-query.c crc32.c $(LIBS) $(FILE)-static: $(FILE).c $(CC) -static $(CFLAGS) -o $@ $(FILE).c $(FILE)-query.c crc32.c $(LIBS) p0fq: test/p0fq p0fping: test/p0fping tools: $(TOOLS) clean: rm -f core core.[0123456789]* *~ *.o $(FILE) a.out $(FILE)-static \ test/p0fq test/p0fping $(TOOLS) install: $(FILE) cp -f $(FILE) /usr/sbin/ cp -f p0frep /usr/sbin/ mkdir /etc/p0f || true cp -f p0f.fp p0fa.fp p0fr.fp p0fo.fp /etc/p0f/ cp -f p0f.1 /usr/man/man1/ || cp -f p0f.1 /usr/local/man/man1/ @echo "You might want to manually install test/ tools now." p0f/mk/Linux0100644000175100017500000000271410472324354012564 0ustar lcamtufusers# # p0f - "universal" Makefile (Linux/*BSD/Darwin) # ---------------------------------------------- # # Note, you probably need gmake for this (OpenBSD take notice). # # (C) Copyright 2000-2006 by Michal Zalewski # CC = gcc LIBS = -lpcap STRIP = strip CFLAGS = -O3 -Wall -fomit-frame-pointer -funroll-loops \ -DUSE_BPF=\"${USE_BPF}\" \ -I/usr/include/pcap -I/usr/local/include/pcap -I/usr/local/include FILE = p0f TOOLS = test/sendack test/sendack2 test/sendsyn all: $(FILE) strip @echo ">> You can also try 'make p0fq' to compile a sample query" @echo ">> client (see README for more information)." static: $(FILE)-static $(FILE): $(FILE).c $(CC) $(CFLAGS) -o $@ $(FILE).c $(FILE)-query.c crc32.c $(LIBS) $(FILE)-static: $(FILE).c $(CC) -static $(CFLAGS) -o $@ $(FILE).c $(FILE)-query.c crc32.c $(LIBS) strip: strip $(FILE) 2>/dev/null || true p0fq: test/p0fq p0fping: test/p0fping tools: $(TOOLS) clean: rm -f core core.[0123456789]* *~ *.o $(FILE) a.out $(FILE)-static \ test/p0fq test/p0fping $(TOOLS) publish: clean cd ..;tar cfvz /tmp/p0f.tgz p0f scp -p /tmp/p0f.tgz lcamtuf@coredump.cx:/export/www/lcamtuf/p0f-devel.tgz rm -f /tmp/p0f.tgz install: $(FILE) cp -f $(FILE) /usr/sbin/ cp -f p0frep /usr/sbin/ mkdir /etc/p0f || true cp -f p0f.fp p0fa.fp p0fr.fp p0fo.fp /etc/p0f/ cp -f p0f.1 /usr/man/man1/ || cp -f p0f.1 /usr/local/man/man1/ @echo "You might want to manually install test/ tools now." p0f/mk/SunOS0100644000175100017500000000235010472324363012470 0ustar lcamtufusers# # p0f - SunOS/Solaris Makefile # ---------------------------- # # (C) Copyright 2000-2006 by Michal Zalewski # CC = gcc LIBS = -lpcap -L/opt/local/lib \ -L/usr/local/lib -lsocket -lnsl CFLAGS = -O3 -Wall -fomit-frame-pointer -funroll-loops \ -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 \ -DUSE_BPF=\"${USE_BPF}\" \ -I/opt/local/include -I/usr/local/include FILE = p0f TOOLS = test/sendack test/sendack2 test/sendsyn all: $(FILE) @echo ">> You can also try 'make p0fq' to compile a sample query" @echo ">> client (see README for more information)." static: $(FILE)-static $(FILE): $(FILE).c $(CC) $(CFLAGS) -o $@ $(FILE).c $(FILE)-query.c crc32.c $(LIBS) $(FILE)-static: $(FILE).c $(CC) -static $(CFLAGS) -o $@ $(FILE).c $(FILE)-query.c crc32.c $(LIBS) p0fq: test/p0fq p0fping: test/p0fping tools: $(TOOLS) clean: rm -f core core.[0123456789]* *~ *.o $(FILE) a.out $(FILE)-static \ test/p0fq test/p0fping $(TOOLS) install: $(FILE) cp -f $(FILE) /usr/sbin/ cp -f p0frep /usr/sbin/ mkdir /etc/p0f || true cp -f p0f.fp p0fa.fp p0fr.fp p0fo.fp /etc/p0f/ cp -f p0f.1 /usr/man/man1/ || cp -f p0f.1 /usr/local/man/man1/ @echo "You might want to manually install test/ tools now." p0f/mk/Darwin0120755000175100017500000000000010466611071013720 2Linuxustar lcamtufusersp0f/mk/FreeBSD0120755000175100017500000000000010466611071013706 2Linuxustar lcamtufusersp0f/mk/NetBSD0120755000175100017500000000000010466611071013553 2Linuxustar lcamtufusersp0f/mk/OpenBSD0120755000175100017500000000000010466611071013726 2Linuxustar lcamtufusersp0f/mk/CYGWIN0100644000175100017500000000276710472324345012475 0ustar lcamtufusers# # p0f - CYGWIN Makefile # --------------------- # # You need Windows pcap port for this. Windows pcap may not work # on some wireless interfaces, unless a bridging trick is used # (see winpcap FAQ). # # (C) Copyright 2000-2006 by Michal Zalewski # CC = gcc LIBS = -L/lib/pcap -lwpcap STRIP = strip CFLAGS = -O3 -Wall -fomit-frame-pointer -funroll-loops \ -DUSE_BPF=\"${USE_BPF}\" \ -I/usr/pcap/include -I/usr/include/mingw -I/usr/local/include FILE = p0f TOOLS = test/sendack test/sendack2 test/sendsyn all: $(FILE) strip @echo ">> You can also try 'make p0fq' to compile a sample query" @echo ">> client (see README for more information)." static: $(FILE)-static $(FILE): $(FILE).c $(CC) $(CFLAGS) -o $@ $(FILE).c $(FILE)-query.c crc32.c $(LIBS) $(FILE)-static: $(FILE).c $(CC) -static $(CFLAGS) -o $@ $(FILE).c $(FILE)-query.c crc32.c $(LIBS) strip: strip $(FILE) 2>/dev/null || true p0fq: test/p0fq p0fping: test/p0fping tools: $(TOOLS) clean: rm -f core core.[0123456789]* *~ *.o $(FILE) a.out $(FILE)-static \ test/p0fq test/p0fping $(TOOLS) publish: clean cd ..;tar cfvz /tmp/p0f.tgz p0f scp -p /tmp/p0f.tgz lcamtuf@coredump.cx:/export/www/lcamtuf/p0f-devel.tgz rm -f /tmp/p0f.tgz install: $(FILE) cp -f $(FILE) /usr/sbin/ cp -f p0frep /usr/sbin/ mkdir /etc/p0f || true cp -f p0f.fp p0fa.fp p0fr.fp p0fo.fp /etc/p0f/ cp -f p0f.1 /usr/man/man1/ || cp -f p0f.1 /usr/local/man/man1/ @echo "You might want to manually install test/ tools now." p0f/mtu.h0100644000175100017500000000323110467616463012115 0ustar lcamtufusers/* p0f - MTU database ------------------ A list of known and used MTUs. Note: MSS is MTU-40 on a sane system. Copyright (C) 2003-2006 by Michal Zalewski */ #ifndef _HAVE_MTU_H #define _HAVE_MTU_H #include "types.h" struct mtu_def { _u16 mtu; _u8* dev; }; /* THIS LIST MUST BE SORTED FROM LOWEST TO HIGHEST MTU */ static struct mtu_def mtu[] = { { 256, "radio modem" }, { 386, "ethernut" }, { 552, "SLIP line / encap ppp" }, { 576, "sometimes modem" }, { 1280, "gif tunnel" }, { 1300, "PIX, SMC, sometimes wireless" }, { 1362, "sometimes DSL (1)" }, { 1372, "cable modem" }, { 1400, "(Google/AOL)" }, /* To be investigated */ { 1415, "sometimes wireless" }, { 1420, "GPRS, T1, FreeS/WAN" }, { 1423, "sometimes cable" }, { 1440, "sometimes DSL (2)" }, { 1442, "IPIP tunnel" }, { 1450, "vtun" }, { 1452, "sometimes DSL (3)" }, { 1454, "sometimes DSL (4)" }, { 1456, "ISDN ppp" }, { 1458, "BT DSL (?)" }, { 1462, "sometimes DSL (5)" }, { 1470, "(Google 2)" }, { 1476, "IPSec/GRE" }, { 1480, "IPv6/IPIP" }, { 1492, "pppoe (DSL)" }, { 1496, "vLAN" }, { 1500, "ethernet/modem" }, { 1656, "Ericsson HIS" }, { 2024, "wireless/IrDA" }, { 2048, "Cyclom X.25 WAN" }, { 2250, "AiroNet wireless" }, { 3924, "loopback" }, { 4056, "token ring (1)" }, { 4096, "Sangoma X.25 WAN" }, { 4352, "FDDI" }, { 4500, "token ring (2)" }, { 9180, "FORE ATM" }, { 16384, "sometimes loopback (1)" }, { 16436, "sometimes loopback (2)" }, { 18000, "token ring x4" }, }; #define MTU_CNT (sizeof(mtu) / sizeof(struct mtu_def)) #endif /* ! _HAVE_MTU_H */ p0f/p0f-query.c0100644000175100017500000001530510477537011013130 0ustar lcamtufusers/* p0f - daemon query interface ---------------------------- See p0f-query.h. This is just an internal cache / query handling for -Q functionality. Uses the same cache for -M lookups, too. OPTIMIZE THIS CODE. It blows. At the very least, fill out genre, detail, ToS and link type on lookup. Copyright (C) 2003-2006 by Michal Zalewski */ #include #include #ifndef WIN32 #include #include #endif #include #include #include #include "p0f-query.h" #include "types.h" #include "config.h" #ifndef MSG_NOSIGNAL #define MSG_NOSIGNAL 0 #endif /* ! MSG_NOSIGNAL */ struct cache_data { _u32 sad,dad,ports,signo; _u16 mss; struct p0f_response s; }; static struct cache_data (*c)[]; static _s32 cur_c; static _s32 QUERY_CACHE; static _u16 flags; static _s16 score = NO_SCORE; /* Imports for statistics */ _u32 packet_count, matched_packets, st_time, file_cksum; _u8 operating_mode; #define SAD_HASH(a) ((((a) << 16) ^ ((a) << 8) ^ (a))) void p0f_initcache(_u32 csiz) { QUERY_CACHE = csiz; c = calloc(csiz, sizeof(struct cache_data)); if (!c) { fprintf(stderr,"[!] ERROR: Not enough memory for query cache.\n"); exit(1); } } void p0f_addcache(_u32 saddr,_u32 daddr,_u16 sport,_u16 dport, _u8* genre,_u8* detail,_s8 dist,_u8* link,_u8* tos, _u8 fw,_u8 nat,_u8 real,_u16 mss,_u32 signo,_s32 uptime) { struct cache_data* cur = *c + cur_c; struct p0f_response* sc = &cur->s; cur->signo = signo; cur->mss = mss; cur->sad = saddr; cur->dad = daddr; cur->ports = (sport << 16) + dport; memset(sc,0,sizeof(sc)); if (genre) { strncpy(sc->genre,genre,19); strncpy(sc->detail,detail,39); } if (link) strncpy(sc->link,link,29); if (tos) strncpy(sc->tos,tos,29); sc->score = real ? score : NO_SCORE; sc->mflags = real ? flags : 0; sc->dist = dist; sc->fw = fw; sc->nat = nat; sc->real = real; sc->uptime = uptime; cur_c = (cur_c + 1) % QUERY_CACHE; } #define SUBMOD(val,max) ((val) < 0 ? ((max) + (val)) : (val)) #ifndef WIN32 static _u32 qcount, mcount; void p0f_handlequery(_s32 sock,struct p0f_query* q,_u8 wild) { _s32 i; if (q->magic != QUERY_MAGIC || (q->type != QTYPE_FINGERPRINT && q->type != QTYPE_STATUS)) { struct p0f_response r; bzero(&r,sizeof(r)); r.magic = QUERY_MAGIC; r.type = RESP_BADQUERY; r.id = q->id; send(sock,&r,sizeof(r),MSG_NOSIGNAL); return; } if (q->type == QTYPE_STATUS) { struct p0f_status s; s.magic = QUERY_MAGIC; s.id = q->id; s.type = RESP_STATUS; s.mode = operating_mode; s.fp_cksum = file_cksum; s.cache = QUERY_CACHE; s.packets = packet_count; s.matched = matched_packets; s.queries = qcount; s.cmisses = mcount; s.uptime = time(0) - st_time; strncpy(s.version, VER, sizeof(s.version)-1); s.version[sizeof(s.version)-1]=0; send(sock,&s,sizeof(struct p0f_status),MSG_NOSIGNAL); return; } qcount++; /* Honor wildcards only when src port is 0 */ if (wild && q->src_port) wild = 0; for (i=1;isad == q->src_ad && cur->dad == q->dst_ad && ( wild ? ((cur->ports & 0xffff) == q->dst_port) : (cur->ports == (q->src_port << 16) + q->dst_port))) { struct p0f_response* n = &cur->s; n->magic = QUERY_MAGIC; n->type = RESP_OK; n->id = q->id; send(sock,n,sizeof(struct p0f_response),MSG_NOSIGNAL); return; } } { struct p0f_response r; mcount++; bzero(&r,sizeof(r)); r.magic = QUERY_MAGIC; r.type = RESP_NOMATCH; r.id = q->id; r.dist = -1; send(sock,&r,sizeof(r),MSG_NOSIGNAL); } } #endif /* !WIN32 */ void p0f_descmasq(void) { if (flags & D_GENRE) printf("OS "); if (flags & D_DETAIL) printf("VER "); if (flags & D_LINK) printf("LINK "); if (flags & D_DIST) printf("DIST "); if (flags & D_NAT) printf("xNAT "); if (flags & D_FW) printf("xFW "); if (flags & D_NAT2_1) printf("NAT1 "); if (flags & D_NAT2_2) printf("NAT2 "); if (flags & D_FW2_1) printf("FW1 "); if (flags & D_FW2_2) printf("FW2 "); if (flags & D_FAST) printf("FAST "); if (flags & D_TNEG) printf("TNEG "); if (flags & D_TIME) printf("-time "); if (flags & D_FAR) printf("-far "); } _s16 p0f_findmasq(_u32 sad,_u8* genre,_s8 dist,_u16 mss, _u8 nat,_u8 fw,_u32 signo,_s32 uptime) { _s32 i; _s16 pscore = 0; score = 0; flags = 0; /* We assume p0f_addcache is called immediately after p0f_findmasq. */ for (i=1;isad != sad) continue; if (!cur->s.real) continue; if (cur->s.score > pscore) pscore = cur->s.score; if (mss ^ cur->mss) flags |= D_LINK; if (dist ^ cur->s.dist) flags |= D_DIST; if (uptime >= 0 && cur->s.uptime >= 0) { _s32 td = uptime - cur->s.uptime; if (td < 0) flags |= D_TNEG; else if (td > MAX_TIMEDIF) flags |= D_FAST; else flags |= D_TIME; } if (signo ^ cur->signo) { flags |= D_DETAIL; if (strcmp(genre,cur->s.genre)) flags |= D_GENRE; if (fw) flags |= D_FW2_1; if (cur->s.fw) flags |= D_FW2_2; if (nat) flags |= D_NAT2_1; if (cur->s.nat) flags |= D_NAT2_2; } else { if (nat ^ cur->s.nat) flags |= D_NAT; if (fw ^ cur->s.fw) flags |= D_FW; } if (!of && flags && i > QUERY_CACHE/2) flags |= D_FAR; } if (!flags) return 0; if (flags & D_DETAIL) score = 4; else score = -3; if (flags & D_GENRE) score += 2; if (flags & D_LINK) score += 4; #ifdef DIST_EXTRASCORE if (flags & D_DIST) score += 4; #else if (flags & D_DIST) score++; #endif /* ^DIST_EXTRASCORE */ if (flags & D_NAT) score += 4; if (flags & D_FW) score += 4; if (flags & D_NAT2_1) score++; if (flags & D_NAT2_2) score++; if (flags & D_FW2_1) score++; if (flags & D_FW2_2) score++; if (flags & D_TIME) score++; if (flags & D_TNEG) score+=2; if (flags & D_FAR) score >>= 1; if (flags & D_TIME) if (score) score -=1; /* Avoid reporting a host multiple times if it already got reported with this or higher score, for as long as its entry lives in the cache, of course. Also, carry the highest score to the most recent entry. */ if (pscore >= score) return 0; return score * 200 / 25; } p0f/p0f-query.h0100644000175100017500000000620610472337417013140 0ustar lcamtufusers/* p0f - daemon query interface ---------------------------- This is an interface to be used on the local socket created with -Q. Copyright (C) 2003-2006 by Michal Zalewski */ #ifndef _HAVE_P0FQUERY_H #define _HAVE_P0FQUERY_H #include "types.h" #include "config.h" #define QUERY_MAGIC 0x0defaced #define NO_SCORE -100 /* Masquerade detection flags: */ #define D_GENRE 0x0001 #define D_DETAIL 0x0002 #define D_LINK 0x0004 #define D_DIST 0x0008 #define D_NAT 0x0010 #define D_FW 0x0020 #define D_NAT2_1 0x0040 #define D_FW2_1 0x0080 #define D_NAT2_2 0x0100 #define D_FW2_2 0x0200 #define D_FAST 0x0400 #define D_TNEG 0x0800 #define D_TIME 0x4000 #define D_FAR 0x8000 #define QTYPE_FINGERPRINT 1 #define QTYPE_STATUS 2 struct p0f_query { _u32 magic; /* must be set to QUERY_MAGIC */ _u8 type; /* QTYPE_* */ _u32 id; /* Unique query ID */ _u32 src_ad,dst_ad; /* src address, local dst addr */ _u16 src_port,dst_port; /* src and dst ports */ }; #define RESP_OK 0 /* Response OK */ #define RESP_BADQUERY 1 /* Query malformed */ #define RESP_NOMATCH 2 /* No match for src-dst data */ #define RESP_STATUS 255 /* Status information */ struct p0f_response { _u32 magic; /* QUERY_MAGIC */ _u32 id; /* Query ID (copied from p0f_query) */ _u8 type; /* RESP_* */ _u8 genre[20]; /* OS genre (empty if no match) */ _u8 detail[40]; /* OS version (empty if no match) */ _s8 dist; /* Distance (-1 if unknown ) */ _u8 link[30]; /* Link type (empty if unknown) */ _u8 tos[30]; /* Traffic type (empty if unknown) */ _u8 fw,nat; /* firewall and NAT flags flags */ _u8 real; /* A real operating system? */ _s16 score; /* Masquerade score (or NO_SCORE) */ _u16 mflags; /* Masquerade flags (D_*) */ _s32 uptime; /* Uptime in hours (-1 = unknown) */ }; struct p0f_status { _u32 magic; /* QUERY_MAGIC */ _u32 id; /* Query ID (copied from p0f_query) */ _u8 type; /* RESP_STATUS */ _u8 version[16]; /* p0f version */ _u8 mode; /* p0f mode (S - SYN; A - SYN+ACK, R - RST, O - stray) */ _u32 fp_cksum; /* Fingerprint file checksum */ _u32 cache; /* p0f query cache size */ _u32 packets; /* Total number of all packet received */ _u32 matched; /* Total number of packets matched */ _u32 queries; /* Total number of queries handled */ _u32 cmisses; /* Total number of cache query misses */ _u32 uptime; /* Process uptime in seconds */ }; /* --------------------------------------- */ /* This is an internal API, do not bother: */ /* --------------------------------------- */ void p0f_initcache(_u32 csiz); void p0f_addcache(_u32 saddr,_u32 daddr,_u16 sport,_u16 dport, _u8* genre,_u8* detail,_s8 dist,_u8* link,_u8* tos, _u8 fw,_u8 nat,_u8 real,_u16 mss,_u32 signo, _s32 uptime); void p0f_handlequery(_s32 sock,struct p0f_query* q,_u8 wild); _s16 p0f_findmasq(_u32 sad,_u8* genre,_s8 dist,_u16 mss, _u8 nat,_u8 fw,_u32 signo,_s32 uptime); void p0f_descmasq(void); #endif /* ! _HAVE_P0FQUERY_H */ p0f/p0f.10100644000175100017500000002522610466616021011703 0ustar lcamtufusers.TH P0F 1 .SH NAME p0f \- identify remote systems passively .SH SYNOPSIS .B p0f .I p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket [ -0 ] ] [ -w file ] [ -u user ] [ -c size ] [ -T nn ] [ -e nn ] [ -FNODVUKAXMqxtpdlRL ] [ 'filter rule' ] .br .SH "DESCRIPTION" .PP .B p0f uses a fingerprinting technique based on analyzing the structure of a TCP/IP packet to determine the operating system and other configuration properties of a remote host. The process is completely passive and does not generate any suspicious network traffic. The other host has to either: .FP - connect to your network - either spontaneously or in an induced manner, for example when trying to establish a ftp data stream, returning a bounced mail, performing auth lookup, using IRC DCC, external html mail image reference and so on, .FP - or be contacted by some entity on your network using some standard means (such as a web browsing); it can either accept or refuse the connection. .PP The method can see thru packet firewalls and does not have the restrictions of an active fingerprinting. The main uses of passive OS fingerprinting are attacker profiling (IDS and honeypots), visitor profiling (content optimization), customer/user profiling (policy enforcement), pen-testing, etc. .SH OPTIONS .TP \fB-f\fR file read fingerprints from file; by default, p0f reads signatures from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems only). You can use this to load custom fingerprint data. Specifying multiple -f values will NOT combine several signature files together. .TP \fB-i\fR device listen on this device; p0f defaults to whatever device libpcap considers to be the best (and which often isn't). On some newer systems you might be able to specify 'any' to listen on all devices, but don't rely on this. Specifying multiple -i values will NOT cause p0f to listen on several interfaces at once. .TP \fB-s\fR file read packets from tcpdump snapshot; this is an alternate mode of operation, in which p0f reads packet from pcap data capture file, instead of a live network. Useful for forensics (this will parse tcpdump -w output, for example). You can use Ethereal's text2pcap to convert human-readable packet traces to pcap files, if needed. .TP \fB-w\fR file writes matching packets to a tcpdump snapshot, in addition to fingerprinting; useful when it is advisable to save copies of the actual traffic for review. .TP \fB-o\fR file write to this logfile. This option is required for -d and implies -t. .TP \fB-Q\fR socket listen on a specified local stream socket (a filesystem object, for example /var/run/p0f-sock) for queries. One can later send a packet to this socket with p0f_query structure from p0f-query.h, and wait for p0f_response. This is a method of integrating p0f with active services (web server or web scripts, etc). P0f will still continue to report signatures the usual way - but you can use -qKU combination to suppress this. Also see -c notes. A sample query tool (p0fq) is provided in the test/ subdirectory. There is also a trivial perl implementation of a client available. NOTE: The socket will be created with permissions corresponding to your current umask. If you want to restrict access to this interface, use caution. .TP \fB-0\fR treat source port 0 in remote queries as a wildcard: find any record for that host. This is useful when developing plugins for programs that do not pass source port information to the subsystem that uses p0f queries; note that this introduces some ambiguity, and the returned match might be not for the exact connection in question (-Q mode only). .TP \fB-e\fR ms packet capture window. On some systems (particularly on older Suns), the default pcap capture window of 1 ms is insufficient, and p0f may get no packets. In such a case, adjust this parameter to the smallest value that results in reliable operation (note that this might introduce some latency to p0f). \fB-c\fR size cache size for -Q and -M options. The default is 128, which is sane for a system under a moderate network load. Setting it too high will slow down p0f and may result in some -M false positives for dial-up nodes, dual-boot systems, etc. Setting it too low will result in cache misses for -Q option. To choose the right value, use the number of connections on average per the interval of time you want to cache, then pass it to p0f with -c. P0f, when run without -q, also reports average packet ratio on exit. You can use this to determine the optimal -c setting. This option has no effect if you do not use -Q nor -M. .TP \fB-u\fR user this option forces p0f to chroot to this user's home directory after reading configuration data and binding to sockets, then to switch to his UID, GID and supplementary groups. This is a security feature for the paranoid - when running p0f in daemon mode, you might want to create a new unprivileged user with an empty home directory, and limit the exposure when p0f is compromised. That said, should such a compromise occur, the attacker will still have a socket he can use for sniffing some network traffic (better than rm -rf /). .TP \fB-N\fR inhibit guesswork; do not report distances and link media. With this option, p0f logs only source IP and OS data. .TP \fB-F\fR deploy fuzzy matching algorithm if no precise matches are found (currently applies to TTL only). This option is not recommended for RST+ mode. .TP \fB-D\fR do not report OS details (just genre). This option is useful if you don't want p0f to elaborate on OS versions and such (combine with -N). .TP \fB-U\fR do not display unknown signatures. Use this option if you want to keep your log file clean and are not interested in hosts that are not recognized. .TP \fB-K\fR do not display known signatures. This option is useful when you run p0f recreationally and want to spot UFOs, or in -Q or -M modes when combined with -U to inhibit all output. .TP \fB-q\fR be quiet - do not display banners and keep low profile. .TP \fB-p\fR switch card to promiscuous mode; by default, p0f listens only to packets addressed or routed thru the machine it runs on. This setting might decrease performance, depending on your network design and load. On switched networks, this usually has little or no effect. Note that promiscuous mode on IP-enabled interfaces can be detected remotely, and is sometimes not welcome by network administrators. .TP \fB-t\fR add human-readable timestamps to every entry (use multiple times to change date format, a la tcpdump). .TP \fB-d\fR go into daemon mode (detach from current terminal and fork into background). Requires -o. .TP \fB-l\fR outputs data in line-per-record style (easier to grep). .TP \fB-A\fR a semi-supported option for SYN+ACK mode. This option will cause p0f to fingerprint systems you connect to, as opposed to systems that connect to you (default). With this option, p0f will look for p0fa.fp file instead of the usual p0f.fp. The usual config is NOT SUITABLE for this mode. The SYN+ACK signature database is sort of small at the moment, but suitable for many uses. Feel free to contribute. .TP \fB-R\fR a barely-supported option for RST+ mode. This option will prompt p0f to fingerprint several different types of traffic, most importantly "connection refused" and "timeout" messages. This mode is similar to SYN+ACK (-A), except that the program will now look for p0fr.fp. The usual config is NOT SUITABLE for this mode. You may have to familiarize yourself with p0fr.fp before using it. .TP \fB-O\fR absolutely experimental open connection (stray ACK) fingerprinting mode. In this mode, p0f will attempt to indiscriminately identify OS on all packets within an already established connection. The only use of this mode is to perform an immediate fingerprinting of an existing session. Because of the sheer amount of output, you are advised against running p0f in this mode for extended periods of time. The program will use p0fo.fp file to read fingerprints. The usual config is NOT SUITABLE for this mode. Do not use unless you know what you are doing. NOTE: The p0fo.fp database is very sparsely populated at the moment. .TP \fB-r\fR resolve host names; this mode is MUCH slower and poses some security risk. Do not use except for interactive runs or low traffic situations. NOTE: the option ONLY resolves IP address into a name, and does not perform any checks for matching reverse DNS. Hence, the name may be spoofed - do not rely on it without checking twice. .TP \fB-C\fR perform collision check on signatures prior to running. This is an essential option whenever you add new signatures to .fp files, but is not necessary otherwise. .TP \fB-x\fR dump full packet contents; this option is not compatible with -l and is intended for debugging and packet comparison only. .TP \fB-X\fR display packet payload; rarely, control packets we examine may carry a payload. This is a bug for the default (SYN) and -A (SYN+ACK) modes, but is (sometimes) acceptable in -R (RST+) mode. .TP \fB-M\fR deploy masquerade detection algorithm. The algorithm looks over recent (cached) hits and looks for indications of multiple systems being behind a single gateway. This is useful on routers and such to detect policy violations. Note that this mode is somewhat slower due to caching and lookups. Use with caution (or do not use at all) in modes other than default (SYN). .TP \fB-T\fR nn masquerade detection threshold; only meaningful with -M, sets the threshold for masquerade reporting. .TP \fB-V\fR use verbose masquerade detection reporting. This option describes the status of all indicators, not only an overall value. .TP \fB-v\fR enable support for 802.1Q VLAN tagged frames. Available on some interfaces, on other, will result in BPF error. .SH FILTERS The last part, 'filter rule', is a bpf-style filter expression for incoming packets. It is very useful for excluding or including certain networks, hosts, or specific packets, in the logfile. See man tcpdump for more information, few examples: \'src port ftp-data\' \'not dst net 10.0.0.0 mask 255.0.0.0\' \'dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )\' You also can use a companion log report utility for p0f. Simply run 'p0frep' for help. .SH SECURITY P0f, due to its simplicity, is believed to be considerably secure than other software that is often being run for packet capture (tcpdump, Ettercap, Ethereal, etc). Please follow the security guidelines posted in the documentation supplied with the package. .SH BUGS You need to consult the documentation for an up-to-date list of issues. .SH FILES .TP .BI /etc/p0f/p0f.fp\ /etc/p0f/p0fa.fp\ /etc/p0f/p0fr.fp\ /etc/p0f/p0fo.fp default fingerprint database files .SH AUTHOR .B p0f was written by Michal Zalewski . This man page was originally written by William Stearns , then adopted for p0f v2 by Michal Zalewski. p0f/p0f.c0100644000175100017500000013652610472340040011763 0ustar lcamtufusers/* p0f - passive OS fingerprinting ------------------------------- "If you sit down at a poker game and don't see a sucker, get up. You're the sucker." (C) Copyright 2000-2006 by Michal Zalewski WIN32 port (C) Copyright 2003-2004 by Michael A. Davis (C) Copyright 2003-2004 by Kirby Kuehl */ #include #include #include #ifndef WIN32 # include # include # include # include # include # include # include # include #else # include "getopt.h" # include # pragma comment (lib, "wpcap.lib") #endif /* ^WIN32 */ #include #include #include #ifdef USE_BPF #include USE_BPF #else #include #endif /* ^USE_BPF */ #include #include /* #define DEBUG_HASH - display signature hash table stats */ #include "config.h" #include "types.h" #include "tcp.h" #include "mtu.h" #include "tos.h" #include "fpentry.h" #include "p0f-query.h" #include "crc32.h" #ifndef MSG_NOSIGNAL #define MSG_NOSIGNAL 0 #endif /* ! MSG_NOSIGNAL */ static pcap_dumper_t *dumper; #ifdef WIN32 static inline void debug(_u8* format, ...) { _u8 buff[1024]; va_list args; va_start(args, format); memset(buff, 0, sizeof(buff)); _vsnprintf( buff, sizeof(buff) - 1, format, args); fprintf(stderr, buff); va_end(args); } static inline void fatal(_u8* format, ...) { _u8 buff[1024]; va_list args; va_start(args, format); memset(buff, 0, sizeof(buff)); vsnprintf( buff, sizeof(buff) - 1, format, args); fprintf(stderr, "[-] ERROR: %s", buff); va_end(args); exit(1); } #else # define debug(x...) fprintf(stderr,x) # define fatal(x...) do { debug("[-] ERROR: " x); exit(1); } while (0) #endif /* ^WIN32 */ #define pfatal(x) do { debug("[-] ERROR: "); perror(x); exit(1); } while (0) static struct fp_entry sig[MAXSIGS]; static _u32 sigcnt,gencnt; /* By hash */ static struct fp_entry* bh[16]; #define SIGHASH(tsize,optcnt,q,df) \ (( (_u8) (((tsize) << 1) ^ ((optcnt) << 1) ^ (df) ^ (q) )) & 0x0f) static _u8 *config_file, *use_iface, *use_dump, *write_dump, *use_cache, #ifndef WIN32 *set_user, #endif /* !WIN32 */ *use_rule = "tcp[13] & 0x17 == 2"; static _u32 query_cache = DEFAULT_QUERY_CACHE; static _s32 masq_thres; static _s32 capture_timeout = 1; static _u8 no_extra, find_masq, masq_flags, no_osdesc, no_known, no_unknown, no_banner, use_promisc, add_timestamp, header_len, ack_mode, rst_mode, open_mode, go_daemon, use_logfile, mode_oneline, always_sig, do_resolve, check_collide, full_dump, use_fuzzy, use_vlan, payload_dump, port0_wild; static pcap_t *pt; static struct bpf_program flt; /* Exports for p0f statistics */ _u32 packet_count; _u8 operating_mode; _u32 st_time; _u32 file_cksum; static void die_nicely(_s32 sig) { if (sig) debug("+++ Exiting on signal %d +++\n",sig); if (pt) pcap_close(pt); if (dumper) pcap_dump_close(dumper); if (!no_banner && packet_count) { float r = packet_count * 60; r /= (time(0) - st_time); debug("[+] Average packet ratio: %0.2f per minute",r); if (use_cache || find_masq) debug(" (cache: %0.2f seconds).\n",query_cache * 60 / r); else debug(".\n"); } exit(sig); } static void set_header_len(_u32 type) { switch(type) { case DLT_SLIP: case DLT_RAW: break; #ifdef DLT_C_HDLC case DLT_C_HDLC: #endif case DLT_NULL: header_len=4; break; case DLT_EN10MB: header_len=14; break; #ifdef DLT_LOOP case DLT_LOOP: #endif #ifdef DLT_PPP_SERIAL case DLT_PPP_SERIAL: /* NetBSD oddity */ #endif #ifdef DLT_PPP_ETHER case DLT_PPP_ETHER: /* PPPoE on NetBSD */ header_len=8; break; #endif case DLT_PPP: header_len=4; break; case DLT_IEEE802: header_len=22; break; #ifdef DLT_IEEE802_11 case DLT_IEEE802_11: header_len=32; break; #endif #ifdef DLT_PFLOG case DLT_PFLOG: header_len=28; break; #endif #ifdef DLT_LINUX_SLL case DLT_LINUX_SLL: header_len=16; break; #endif default: debug("[!] WARNING: Unknown datalink type %d, assuming no header.\n",type); break; } } static void usage(_u8* name) { fprintf(stderr, "\nUsage: %s [ -f file ] [ -i device ] [ -s file ] [ -o file ]\n" #ifndef WIN32 " [ -w file ] [ -Q sock [ -0 ] ] [ -u user ] [ -FXVNDUKASCMROqtpvdlrx ]\n" " [ -c size ] [ -T nn ] [ -e nn ] [ 'filter rule' ]\n" #else " [ -w file ] [ -FXVNDUKASCMLROqtpvdlrx ]\n" " [ -c size] [ -T nn ] [ -e nn ] [ 'filter rule' ]\n" #endif /* ^WIN32 */ " -f file - read fingerprints from file\n" " -i device - listen on this device\n" " -s file - read packets from tcpdump snapshot\n" " -o file - write to this logfile (implies -t)\n" " -w file - save packets to tcpdump snapshot\n" #ifndef WIN32 " -u user - chroot and setuid to this user\n" " -Q sock - listen on local socket for queries\n" " -0 - make src port 0 a wildcard (in query mode)\n" #endif /* !WIN32 */ " -e ms - pcap capture timeout in milliseconds (default: 1)\n" " -c size - cache size for -Q and -M options\n" " -M - run masquerade detection\n" " -T nn - set masquerade detection threshold (1-200)\n" " -V - verbose masquerade flags reporting\n" " -F - use fuzzy matching (do not combine with -R)\n" " -N - do not report distances and link media\n" " -D - do not report OS details (just genre)\n" " -U - do not display unknown signatures\n" " -K - do not display known signatures (for tests)\n" " -S - report signatures even for known systems\n" " -A - go into SYN+ACK mode (semi-supported)\n" " -R - go into RST/RST+ACK mode (semi-supported)\n" " -O - go into stray ACK mode (barely supported)\n" " -r - resolve host names (not recommended)\n" " -q - be quiet - no banner\n" " -v - enable support for 802.1Q VLAN frames\n" " -p - switch card to promiscuous mode\n" " -d - daemon mode (fork into background)\n" " -l - use single-line output (easier to grep)\n" " -x - include full packet dump (for debugging)\n" " -X - display payload string (useful in RST mode)\n" " -C - run signature collision check\n" #ifdef WIN32 " -L - list all available interfaces\n" #endif /* ^WIN32 */ " -t - add timestamps to every entry\n\n" " 'Filter rule' is an optional pcap-style BPF expression (man tcpdump).\n\n",name); exit(1); } static _u8 problems; static void collide(_u32 id) { _u32 i,j; _u32 cur; if (sig[id].ttl % 32 && sig[id].ttl != 255 && sig[id].ttl % 30) { problems=1; debug("[!] Unusual TTL (%d) for signature '%s %s' (line %d).\n", sig[id].ttl,sig[id].os,sig[id].desc,sig[id].line); } for (i=0;i 25) continue; if (sig[id].df ^ sig[i].df) continue; if (sig[id].zero_stamp ^ sig[i].zero_stamp) continue; /* Zero means >= PACKET_BIG */ if (sig[id].size) { if (sig[id].size ^ sig[i].size) continue; } else if (sig[i].size < PACKET_BIG) continue; if (sig[id].optcnt ^ sig[i].optcnt) continue; if (sig[id].quirks ^ sig[i].quirks) continue; switch (sig[id].wsize_mod) { case 0: /* Current: const */ cur=sig[id].wsize; do_const: switch (sig[i].wsize_mod) { case 0: /* Previous is also const */ /* A problem if values match */ if (cur ^ sig[i].wsize) continue; break; case MOD_CONST: /* Current: const, prev: modulo (or *) */ /* A problem if current value is a multiple of that modulo */ if (cur % sig[i].wsize) continue; break; case MOD_MSS: /* Current: const, prev: mod MSS */ if (sig[i].mss_mod || sig[i].wsize * (sig[i].mss ? sig[i].mss : 1460 ) != cur) continue; break; case MOD_MTU: /* Current: const, prev: mod MTU */ if (sig[i].mss_mod || sig[i].wsize * ( (sig[i].mss ? sig[i].mss : 1460 )+40) != cur) continue; break; } break; case 1: /* Current signature is modulo something */ /* A problem only if this modulo is a multiple of the previous modulo */ if (sig[i].wsize_mod != MOD_CONST) continue; if (sig[id].wsize % sig[i].wsize) continue; break; case MOD_MSS: /* Current is modulo MSS */ /* There's likely a problem only if the previous one is close to '*'; we do not check known MTUs, because this particular signature can be made with some uncommon MTUs in mind. The problem would also appear if current signature has a fixed MSS. */ if (sig[i].wsize_mod != MOD_CONST || sig[i].wsize >= 8) { if (!sig[id].mss_mod) { cur = (sig[id].mss ? sig[id].mss : 1460 ) * sig[id].wsize; goto do_const; } continue; } break; case MOD_MTU: /* Current is modulo MTU */ if (sig[i].wsize_mod != MOD_CONST || sig[i].wsize <= 8) { if (!sig[id].mss_mod) { cur = ( (sig[id].mss ? sig[id].mss : 1460 ) +40) * sig[id].wsize; goto do_const; } continue; } break; } /* Same for wsc */ switch (sig[id].wsc_mod) { case 0: /* Current: const */ cur=sig[id].wsc; switch (sig[i].wsc_mod) { case 0: /* Previous is also const */ /* A problem if values match */ if (cur ^ sig[i].wsc) continue; break; case 1: /* Current: const, prev: modulo (or *) */ /* A problem if current value is a multiple of that modulo */ if (cur % sig[i].wsc) continue; break; } break; case MOD_CONST: /* Current signature is modulo something */ /* A problem only if this modulo is a multiple of the previous modulo */ if (!sig[i].wsc_mod) continue; if (sig[id].wsc % sig[i].wsc) continue; break; } /* Same for mss */ switch (sig[id].mss_mod) { case 0: /* Current: const */ cur=sig[id].mss; switch (sig[i].mss_mod) { case 0: /* Previous is also const */ /* A problem if values match */ if (cur ^ sig[i].mss) continue; break; case 1: /* Current: const, prev: modulo (or *) */ /* A problem if current value is a multiple of that modulo */ if (cur % sig[i].mss) continue; break; } break; case MOD_CONST: /* Current signature is modulo something */ /* A problem only if this modulo is a multiple of the previous modulo */ if (!sig[i].mss_mod) continue; if ((sig[id].mss ? sig[id].mss : 1460 ) % (sig[i].mss ? sig[i].mss : 1460 )) continue; break; } /* Now check option sequence */ for (j=0;j= MAXOPT) fatal("Too many TCP options specified in config line %d.\n",ln); /* Skip separators */ do { p++; } while (*p && !isalpha(*p) && *p != '?'); } sig[sigcnt].line = ln; p = quirks; while (*p) switch (toupper(*(p++))) { case 'E': fatal("Quirk 'E' (line %d) is obsolete. Remove it, append E to the " "options.\n",ln); case 'K': if (!rst_mode) fatal("Quirk 'K' (line %d) is valid only in RST+ (-R)" " mode (wrong config file?).\n",ln); sig[sigcnt].quirks |= QUIRK_RSTACK; break; case 'D': if (open_mode) fatal("Quirk 'D' (line %d) is not valid in OPEN (-O) " "mode (wrong config file?).\n",ln); sig[sigcnt].quirks |= QUIRK_DATA; break; case 'Q': sig[sigcnt].quirks |= QUIRK_SEQEQ; break; case '0': sig[sigcnt].quirks |= QUIRK_SEQ0; break; case 'P': sig[sigcnt].quirks |= QUIRK_PAST; break; case 'Z': sig[sigcnt].quirks |= QUIRK_ZEROID; break; case 'I': sig[sigcnt].quirks |= QUIRK_IPOPT; break; case 'U': sig[sigcnt].quirks |= QUIRK_URG; break; case 'X': sig[sigcnt].quirks |= QUIRK_X2; break; case 'A': sig[sigcnt].quirks |= QUIRK_ACK; break; case 'T': sig[sigcnt].quirks |= QUIRK_T2; break; case 'F': sig[sigcnt].quirks |= QUIRK_FLAGS; break; case '!': sig[sigcnt].quirks |= QUIRK_BROKEN; break; case '.': break; default: fatal("Bad quirk '%c' in line %d.\n",*(p-1),ln); } e = bh[SIGHASH(s,sig[sigcnt].optcnt,sig[sigcnt].quirks,d)]; if (!e) { bh[SIGHASH(s,sig[sigcnt].optcnt,sig[sigcnt].quirks,d)] = sig + sigcnt; } else { while (e->next) e = e->next; e->next = sig + sigcnt; } if (check_collide) collide(sigcnt); if (++sigcnt >= MAXSIGS) fatal("Maximum signature count exceeded.\n"); } fclose(c); #ifdef DEBUG_HASH { int i; struct fp_entry* p; printf("Hash table layout: "); for (i=0;i<16;i++) { int z=0; p = bh[i]; while (p) { p=p->next; z++; } printf("%d ",z); } putchar('\n'); } #endif /* DEBUG_HASH */ if (check_collide && !problems) debug("[+] Signature collision check successful.\n"); if (!sigcnt) debug("[!] WARNING: no signatures loaded from config file.\n"); } static _u8* lookup_link(_u16 mss,_u8 txt) { _u32 i; static _u8 tmp[32]; if (!mss) return txt ? "unspecified" : 0; mss += 40; for (i=0;i ",x); break; case 3: /* seconds since the epoch */ printf("<%u.%06u> ", (_u32)tval.tv_sec, (_u32)tval.tv_usec); break; case 4: /* RFC3339 */ default: tmval = gmtime(&tval.tv_sec); printf("<%04u-%02u-%02uT%02u:%02u:%02u.%06uZ> ", tmval->tm_year + 1900, tmval->tm_mon + 1, tmval->tm_mday, tmval->tm_hour, tmval->tm_min, tmval->tm_sec, (_u32)tval.tv_usec); break; } } #define MY_MAXDNS 32 static inline _u8* grab_name(_u8* a) { struct hostent* r; static _u8 rbuf[MY_MAXDNS+6] = "/"; _u32 j; _u8 *s,*d = rbuf+1; if (!do_resolve) return ""; r = gethostbyaddr(a,4,AF_INET); if (!r || !(s = r->h_name) || !(j = strlen(s))) return ""; if (j > MY_MAXDNS) return ""; while (j--) { if (isalnum(*s) || *s == '-' || *s == '.') *d = *s; else *d = '?'; d++; s++; } *d=0; return rbuf; } static inline void display_signature(_u8 ttl,_u16 tot,_u8 df,_u8* op,_u8 ocnt, _u16 mss,_u16 wss,_u8 wsc,_u32 tstamp, _u32 quirks) { _u32 j; _u8 d=0; if (mss && wss && !(wss % mss)) printf("S%d",wss/mss); else if (wss && !(wss % 1460)) printf("S%d",wss/1460); else if (mss && wss && !(wss % (mss+40))) printf("T%d",wss/(mss+40)); else if (wss && !(wss % 1500)) printf("T%d",wss/1500); else if (wss == 12345) printf("*(12345)"); else printf("%d",wss); if (!open_mode) { if (tot < PACKET_BIG) printf(":%d:%d:%d:",ttl,df,tot); else printf(":%d:%d:*(%d):",ttl,df,tot); } else printf(":%d:%d:*:",ttl,df); for (j=0;j PKT_MAXPAY ? PKT_MAXPAY : dlen; if (!dlen) return; for (i=0;i PKT_MAXPAY ? "..." : ""); } _u32 matched_packets; static inline void find_match(_u16 tot,_u8 df,_u8 ttl,_u16 wss,_u32 src, _u32 dst,_u16 sp,_u16 dp,_u8 ocnt,_u8* op,_u16 mss, _u8 wsc,_u32 tstamp,_u8 tos,_u32 quirks,_u8 ecn, _u8* pkt,_u8 plen,_u8* pay, struct timeval pts) { _u32 j; _u8* a; _u8 nat=0; struct fp_entry* p; _u8 orig_df = df; _u8* tos_desc = 0; struct fp_entry* fuzzy = 0; _u8 fuzzy_now = 0; re_lookup: p = bh[SIGHASH(tot,ocnt,quirks,df)]; if (tos) tos_desc = lookup_tos(tos); while (p) { /* Cheap and specific checks first... */ /* psize set to zero means >= PACKET_BIG */ if (!open_mode) { if (p->size) { if (tot ^ p->size) { p = p->next; continue; } } else if (tot < PACKET_BIG) { p = p->next; continue; } } if (ocnt ^ p->optcnt) { p = p->next; continue; } if (p->zero_stamp ^ (!tstamp)) { p = p->next; continue; } if (p->df ^ df) { p = p->next; continue; } if (p->quirks ^ quirks) { p = p->next; continue; } /* Check MSS and WSCALE... */ if (!p->mss_mod) { if (mss ^ p->mss) { p = p->next; continue; } } else if (mss % p->mss) { p = p->next; continue; } if (!p->wsc_mod) { if (wsc ^ p->wsc) { p = p->next; continue; } } else if (wsc % p->wsc) { p = p->next; continue; } /* Then proceed with the most complex WSS check... */ switch (p->wsize_mod) { case 0: if (wss ^ p->wsize) { p = p->next; continue; } break; case MOD_CONST: if (wss % p->wsize) { p = p->next; continue; } break; case MOD_MSS: if (mss && !(wss % mss)) { if ((wss / mss) ^ p->wsize) { p = p->next; continue; } } else if (!(wss % 1460)) { if ((wss / 1460) ^ p->wsize) { p = p->next; continue; } } else { p = p->next; continue; } break; case MOD_MTU: if (mss && !(wss % (mss+40))) { if ((wss / (mss+40)) ^ p->wsize) { p = p->next; continue; } } else if (!(wss % 1500)) { if ((wss / 1500) ^ p->wsize) { p = p->next; continue; } } else { p = p->next; continue; } break; } /* Numbers agree. Let's check options */ for (j=0;jopt[j] ^ op[j]) goto continue_search; /* Check TTLs last because we might want to go fuzzy. */ if (p->ttl < ttl) { if (use_fuzzy) fuzzy = p; p = p->next; continue; } /* Naah... can't happen ;-) */ if (!p->no_detail) if (p->ttl - ttl > MAXDIST) { if (use_fuzzy) fuzzy = p; p = p->next; continue; } continue_fuzzy: /* Match! */ matched_packets++; if (mss & wss) { if (p->wsize_mod == MOD_MSS) { if ((wss % mss) && !(wss % 1460)) nat=1; } else if (p->wsize_mod == MOD_MTU) { if ((wss % (mss+40)) && !(wss % 1500)) nat=2; } } if (!no_known) { if (add_timestamp) put_date(pts); a=(_u8*)&src; printf("%d.%d.%d.%d%s:%d - %s ",a[0],a[1],a[2],a[3],grab_name(a), sp,p->os); if (!no_osdesc) printf("%s ",p->desc); if (nat == 1) printf("(NAT!) "); else if (nat == 2) printf("(NAT2!) "); if (ecn) printf("(ECN) "); if (orig_df ^ df) printf("(firewall!) "); if (tos) { if (tos_desc) printf("[%s] ",tos_desc); else printf("[tos %d] ",tos); } if (p->generic) printf("[GENERIC] "); if (fuzzy_now) printf("[FUZZY] "); if (p->no_detail) printf("* "); else if (tstamp) printf("(up: %d hrs) ",tstamp/360000); if (always_sig || (p->generic && !no_unknown)) { if (!mode_oneline) printf("\n "); printf("Signature: ["); display_signature(ttl,tot,orig_df,op,ocnt,mss,wss,wsc,tstamp,quirks); if (p->generic) printf(":%s:?] ",p->os); else printf("] "); } if (!no_extra && !p->no_detail) { a=(_u8*)&dst; if (!mode_oneline) printf("\n "); if (fuzzy_now) printf("-> %d.%d.%d.%d%s:%d (link: %s)", a[0],a[1],a[2],a[3],grab_name(a),dp, lookup_link(mss,1)); else printf("-> %d.%d.%d.%d%s:%d (distance %d, link: %s)", a[0],a[1],a[2],a[3],grab_name(a),dp,p->ttl - ttl, lookup_link(mss,1)); } if (pay && payload_dump) dump_payload(pay,plen - (pay - pkt)); putchar('\n'); if (full_dump) dump_packet(pkt,plen); } if (find_masq && !p->userland) { _s16 sc = p0f_findmasq(src,p->os,(p->no_detail || fuzzy_now) ? -1 : (p->ttl - ttl), mss, nat, orig_df ^ df,p-sig, tstamp ? tstamp / 360000 : -1); a=(_u8*)&src; if (sc > masq_thres) { if (add_timestamp) put_date(pts); printf(">> Masquerade at %u.%u.%u.%u%s: indicators at %d%%.", a[0],a[1],a[2],a[3],grab_name(a),sc); if (!mode_oneline) putchar('\n'); else printf(" -- "); if (masq_flags) { printf(" Flags: "); p0f_descmasq(); putchar('\n'); } } } if (use_cache || find_masq) p0f_addcache(src,dst,sp,dp,p->os,p->desc,(p->no_detail || fuzzy_now) ? -1 : (p->ttl - ttl),p->no_detail ? 0 : lookup_link(mss,0), tos_desc, orig_df ^ df, nat, !p->userland, mss, p-sig, tstamp ? tstamp / 360000 : -1); fflush(0); return; continue_search: p = p->next; } if (!df) { df = 1; goto re_lookup; } if (use_fuzzy && fuzzy) { df = orig_df; fuzzy_now = 1; p = fuzzy; fuzzy = 0; goto continue_fuzzy; } if (mss & wss) { if ((wss % mss) && !(wss % 1460)) nat=1; else if ((wss % (mss+40)) && !(wss % 1500)) nat=2; } if (!no_unknown) { if (add_timestamp) put_date(pts); a=(_u8*)&src; printf("%d.%d.%d.%d%s:%d - UNKNOWN [",a[0],a[1],a[2],a[3],grab_name(a),sp); display_signature(ttl,tot,orig_df,op,ocnt,mss,wss,wsc,tstamp,quirks); printf(":?:?] "); if (rst_mode) { /* Display a reasonable diagnosis of the RST+ACK madness! */ switch (quirks & (QUIRK_RSTACK | QUIRK_SEQ0 | QUIRK_ACK)) { /* RST+ACK, SEQ=0, ACK=0 */ case QUIRK_RSTACK | QUIRK_SEQ0: printf("(invalid-K0) "); break; /* RST+ACK, SEQ=0, ACK=n */ case QUIRK_RSTACK | QUIRK_ACK | QUIRK_SEQ0: printf("(refused) "); break; /* RST+ACK, SEQ=n, ACK=0 */ case QUIRK_RSTACK: printf("(invalid-K) "); break; /* RST+ACK, SEQ=n, ACK=n */ case QUIRK_RSTACK | QUIRK_ACK: printf("(invalid-KA) "); break; /* RST, SEQ=n, ACK=0 */ case 0: printf("(dropped) "); break; /* RST, SEQ=m, ACK=n */ case QUIRK_ACK: printf("(dropped 2) "); break; /* RST, SEQ=0, ACK=0 */ case QUIRK_SEQ0: printf("(invalid-0) "); break; /* RST, SEQ=0, ACK=n */ case QUIRK_ACK | QUIRK_SEQ0: printf("(invalid-0A) "); break; } } if (nat == 1) printf("(NAT!) "); else if (nat == 2) printf("(NAT2!) "); if (ecn) printf("(ECN) "); if (tos) { if (tos_desc) printf("[%s] ",tos_desc); else printf("[tos %d] ",tos); } if (tstamp) printf("(up: %d hrs) ",tstamp/360000); if (!no_extra) { a=(_u8*)&dst; if (!mode_oneline) printf("\n "); printf("-> %d.%d.%d.%d%s:%d (link: %s)",a[0],a[1],a[2],a[3], grab_name(a),dp,lookup_link(mss,1)); } if (use_cache) p0f_addcache(src,dst,sp,dp,0,0,-1,lookup_link(mss,0),tos_desc, 0,nat,0 /* not real, we're not sure */ ,mss,(_u32)-1, tstamp ? tstamp / 360000 : -1); if (pay && payload_dump) dump_payload(pay,plen - (pay - pkt)); putchar('\n'); if (full_dump) dump_packet(pkt,plen); fflush(0); } } #define GET16(p) \ ((_u16) *((_u8*)(p)+0) << 8 | \ (_u16) *((_u8*)(p)+1) ) static void parse(_u8* none, struct pcap_pkthdr *pph, _u8* packet) { struct ip_header *iph; struct tcp_header *tcph; struct timeval pts; _u8* end_ptr; _u8* opt_ptr; _u8* pay = 0; _s32 ilen,olen; _u8 op[MAXOPT]; _u8 ocnt = 0; _u16 mss_val = 0, wsc_val = 0; _u32 tstamp = 0; _u32 quirks = 0; packet_count++; if (dumper) pcap_dump((_u8*)dumper,pph,packet); /* Paranoia! */ if (pph->len <= PACKET_SNAPLEN) end_ptr = packet + pph->len; else end_ptr = packet + PACKET_SNAPLEN; iph = (struct ip_header*)(packet+header_len); if (use_vlan && iph->ihl == 0x00) iph = (struct ip_header*)((_u8*)iph + 4); /* Whoops, IP header ends past end_ptr */ if ((_u8*)(iph + 1) > end_ptr) return; if ( ((iph->ihl & 0x40) != 0x40) || iph->proto != IPPROTO_TCP) { debug("[!] WARNING: Non-IP packet received. Bad header_len!\n"); return; } /* If the declared length is shorter than the snapshot (etherleak or such), truncate this bad boy. */ opt_ptr = (_u8*)iph + htons(iph->tot_len); if (end_ptr > opt_ptr) end_ptr = opt_ptr; ilen = iph->ihl & 15; /* OpenBSD kludge */ pts = *(struct timeval*)&pph->ts; /* Borken packet */ if (ilen < 5) return; if (ilen > 5) { #ifdef DEBUG_EXTRAS _u8 i; printf(" -- EXTRA IP OPTIONS (packet below): "); for (i=0;i end_ptr) return; if (rst_mode && (tcph->flags & TH_ACK)) quirks |= QUIRK_RSTACK; if (tcph->seq == tcph->ack) quirks |= QUIRK_SEQEQ; if (!tcph->seq) quirks |= QUIRK_SEQ0; if (tcph->flags & ~(TH_SYN|TH_ACK|TH_RST|TH_ECE|TH_CWR | (open_mode?TH_PUSH:0))) quirks |= QUIRK_FLAGS; ilen=((tcph->doff) << 2) - sizeof(struct tcp_header); if ( (_u8*)opt_ptr + ilen < end_ptr) { #ifdef DEBUG_EXTRAS _u32 i; printf(" -- EXTRA PAYLOAD (packet below): "); for (i=0;i< (_u32)end_ptr - ilen - (_u32)opt_ptr;i++) printf("%02x ",*(opt_ptr + ilen + i)); putchar('\n'); fflush(0); #endif /* DEBUG_EXTRAS */ if (!open_mode) quirks |= QUIRK_DATA; pay = opt_ptr + ilen; } while (ilen > 0) { ilen--; switch (*(opt_ptr++)) { case TCPOPT_EOL: /* EOL */ op[ocnt] = TCPOPT_EOL; ocnt++; if (ilen) { quirks |= QUIRK_PAST; #ifdef DEBUG_EXTRAS printf(" -- EXTRA TCP OPTIONS (packet below): "); while (ilen) { ilen--; if (opt_ptr >= end_ptr) { printf("..."); break; } printf("%02x ",*(opt_ptr++)); } putchar('\n'); fflush(0); #endif /* DEBUG_EXTRAS */ } /* This goto will be probably removed at some point. */ goto end_parsing; case TCPOPT_NOP: /* NOP */ op[ocnt] = TCPOPT_NOP; ocnt++; break; case TCPOPT_SACKOK: /* SACKOK LEN */ op[ocnt] = TCPOPT_SACKOK; ocnt++; ilen--; opt_ptr++; break; case TCPOPT_MAXSEG: /* MSS LEN D0 D1 */ if (opt_ptr + 3 > end_ptr) { borken: quirks |= QUIRK_BROKEN; goto end_parsing; } op[ocnt] = TCPOPT_MAXSEG; mss_val = GET16(opt_ptr+1); ocnt++; ilen -= 3; opt_ptr += 3; break; case TCPOPT_WSCALE: /* WSCALE LEN D0 */ if (opt_ptr + 2 > end_ptr) goto borken; op[ocnt] = TCPOPT_WSCALE; wsc_val = *(_u8 *)(opt_ptr + 1); ocnt++; ilen -= 2; opt_ptr += 2; break; case TCPOPT_TIMESTAMP: /* TSTAMP LEN T0 T1 T2 T3 A0 A1 A2 A3 */ if (opt_ptr + 9 > end_ptr) goto borken; op[ocnt] = TCPOPT_TIMESTAMP; memcpy(&tstamp, opt_ptr+5, 4); if (tstamp) quirks |= QUIRK_T2; memcpy(&tstamp, opt_ptr+1, 4); tstamp = ntohl(tstamp); ocnt++; ilen -= 9; opt_ptr += 9; break; default: /* Hrmpf... */ if (opt_ptr + 1 > end_ptr) goto borken; op[ocnt] = *(opt_ptr-1); olen = *(_u8*)(opt_ptr)-1; if (olen > 32 || (olen < 0)) goto borken; ocnt++; ilen -= olen; opt_ptr += olen; break; } if (ocnt >= MAXOPT-1) goto borken; /* Whoops, we're past end_ptr */ if (ilen > 0) if (opt_ptr >= end_ptr) goto borken; } end_parsing: if (tcph->ack) quirks |= QUIRK_ACK; if (tcph->urg) quirks |= QUIRK_URG; if (tcph->_x2) quirks |= QUIRK_X2; if (!iph->id) quirks |= QUIRK_ZEROID; find_match( /* total */ open_mode ? 0 : ntohs(iph->tot_len), /* DF */ (ntohs(iph->off) & IP_DF) != 0, /* TTL */ iph->ttl, /* WSS */ ntohs(tcph->win), /* src */ iph->saddr, /* dst */ iph->daddr, /* sp */ ntohs(tcph->sport), /* dp */ ntohs(tcph->dport), /* ocnt */ ocnt, /* op */ op, /* mss */ mss_val, /* wsc */ wsc_val, /* tst */ tstamp, /* TOS */ iph->tos, /* Q? */ quirks, /* ECN */ tcph->flags & (TH_ECE|TH_CWR), /* pkt */ (_u8*)iph, /* len */ end_ptr - (_u8*)iph, /* pay */ pay, /* ts */ pts ); #ifdef DEBUG_EXTRAS if (quirks & QUIRK_FLAGS || tcph->ack || tcph->_x2 || tcph->urg) printf(" -- EXTRA TCP VALUES: ACK=0x%x, UNUSED=%d, URG=0x%x " "(flags = %x)\n",tcph->ack,tcph->_x2,tcph->urg,tcph->flags); fflush(0); #endif /* DEBUG_EXTRAS */ } int main(int argc,char** argv) { _u8 buf[MAXLINE*4]; _s32 r; _u8 errbuf[PCAP_ERRBUF_SIZE]; #ifdef WIN32 _u8 ebuf[PCAP_ERRBUF_SIZE]; pcap_if_t *alldevs, *d; _s32 adapter, i; while ((r = getopt(argc, argv, "f:i:s:o:w:c:T:e:XONVFDxKUqvtpArRlSdCLM")) != -1) #else _s32 lsock=0; if (getuid() != geteuid()) fatal("This program is not intended to be setuid.\n"); while ((r = getopt(argc, argv, "f:i:s:o:Q:u:w:c:e:T:XOFNVDxKUqtRpvArlSdCM0")) != -1) #endif /* ^WIN32 */ switch (r) { case 'f': config_file = optarg; break; case 'i': use_iface = optarg; break; case 's': use_dump = optarg; break; case 'w': write_dump = optarg; break; case 'c': query_cache = atoi(optarg); break; case 'o': if (!freopen(optarg,"a",stdout)) pfatal(optarg); use_logfile = 1; break; case 'V': masq_flags = 1; break; case 'M': find_masq = 1; break; case 'T': masq_thres = atoi(optarg); if (masq_thres <= 0 || masq_thres > 200) fatal("Invalid -T value.\n"); break; case 'e': capture_timeout = atoi(optarg); if (capture_timeout <= 0 ||capture_timeout > 10000) fatal("Invalid -e value.\n"); break; #ifndef WIN32 case 'Q': use_cache = optarg; break; case '0': port0_wild = 1; break; case 'u': set_user = optarg; break; #endif /* !WIN32 */ case 'r': do_resolve = 1; break; case 'S': always_sig = 1; break; case 'N': no_extra = 1; break; case 'D': no_osdesc = 1; break; case 'U': no_unknown = 1; break; case 'K': no_known = 1; break; case 'q': no_banner = 1; break; case 'p': use_promisc = 1; break; case 't': add_timestamp++; break; case 'd': go_daemon = 1; break; case 'v': use_vlan = 1; break; case 'l': mode_oneline = 1; break; case 'C': check_collide = 1; break; case 'x': full_dump = 1; break; case 'X': payload_dump = 1; break; case 'F': use_fuzzy = 1; break; case 'A': use_rule = "tcp[13] & 0x17 == 0x12"; ack_mode = 1; break; case 'R': use_rule = "tcp[13] & 0x17 == 0x4 or tcp[13] & 0x17 == 0x14"; rst_mode = 1; break; case 'O': use_rule = "tcp[13] & 0x17 == 0x10"; open_mode = 1; break; #ifdef WIN32 case 'L': if (pcap_findalldevs(&alldevs, ebuf) == -1) fatal("pcap_findalldevs: %s\n", ebuf); debug("\nInterface\tDevice\t\tDescription\n" "-------------------------------------------\n"); for(i=1,d=alldevs;d;d=d->next,i++) { debug("%d %s",i, d->name); if (d->description) debug("\t%s",d->description); debug("\n"); } exit(1); break; #endif /* WIN32 */ default: usage(argv[0]); } if (!use_cache && port0_wild) fatal("-0 requires -Q (query mode).\n"); if (use_logfile && !add_timestamp) add_timestamp = 1; if (use_iface && use_dump) fatal("-s and -i are mutually exclusive.\n"); if (full_dump && mode_oneline) fatal("-x and -l are mutually exclusive.\n"); if ((ack_mode && rst_mode) || (ack_mode && open_mode) || (open_mode && ack_mode)) fatal("-A, -R and -O are mutually exclusive.\n"); #ifdef DEBUG_EXTRAS if (mode_oneline || no_known || no_unknown || no_extra) debug("[!] WARNING: compiled with DEBUG_EXTRAS, -l, -K, -U, -N not " "compatible.\n"); #endif if (find_masq || use_cache) p0f_initcache(query_cache); if (!use_cache && !find_masq && no_known && no_unknown) fatal("-U and -K are mutually exclusive (except with -Q or -M).\n"); if (!use_logfile && go_daemon) fatal("-d requires -o.\n"); if (!no_banner) { debug("p0f - passive os fingerprinting utility, version " VER "\n" "(C) M. Zalewski , W. Stearns \n"); #ifdef WIN32 debug("WIN32 port (C) M. Davis , K. Kuehl \n"); #endif /* WIN32 */ if (use_fuzzy && rst_mode) debug("[!] WARNING: It is a bad idea to combine -F and -R.\n"); } load_config(config_file); if (argv[optind] && *(argv[optind])) { sprintf(buf,"(%s) and (%.3000s)",use_rule,argv[optind]); use_rule = buf; } if (use_vlan) { _u8* x = strdup(use_rule); sprintf(buf,"(%.1000s) or (vlan and (%.1000s))",x,x); free(x); use_rule = buf; } signal(SIGINT,&die_nicely); signal(SIGTERM,&die_nicely); #ifndef WIN32 signal(SIGHUP,&die_nicely); signal(SIGQUIT,&die_nicely); if (use_cache) { struct sockaddr_un x; lsock = socket(PF_UNIX,SOCK_STREAM,0); if (lsock < 0) pfatal("socket"); memset(&x,0,sizeof(x)); x.sun_family = AF_UNIX; strncpy(x.sun_path,use_cache,63); unlink(use_cache); if (bind(lsock,(struct sockaddr*)&x,sizeof(x))) pfatal(use_cache); if (listen(lsock,10)) pfatal("listen"); } #endif /* !WIN32 */ if (use_dump) { if (!(pt=pcap_open_offline(use_dump, errbuf))) fatal("pcap_open_offline failed: %s\n",errbuf); } else { #ifdef WIN32 if (pcap_findalldevs(&alldevs, ebuf) == -1) fatal("pcap_findalldevs: %s\n", ebuf); if (!use_iface) { d = alldevs; } else { adapter = atoi(use_iface); for(i=1, d=alldevs; adapter && i < adapter && d; i++, d=d->next); if (!d) fatal("Unable to find adapter %d\n", adapter); } use_iface = d->name; #else if (!use_iface) use_iface=pcap_lookupdev(errbuf); #endif /* ^WIN32 */ if (!use_iface) use_iface = "lo"; /* We do not rely on pcap timeouts - they suck really bad. Of course, the documentation sucks, and if you use the timeout of zero, things will break. */ if (!(pt=pcap_open_live(use_iface,PACKET_SNAPLEN,use_promisc,capture_timeout,errbuf))) fatal("pcap_open_live failed: %s\n",errbuf); } set_header_len(pcap_datalink(pt)); if (pcap_compile(pt, &flt, use_rule, 1, 0)) if (strchr(use_rule,'(')) { pcap_perror(pt,"pcap_compile"); debug("See man tcpdump or p0f README for help on bpf filter expressions.\n"); exit(1); } if (!no_banner) { debug("p0f: listening (%s) on '%s', %d sigs (%d generic, cksum %08X), rule: '%s'.\n", ack_mode ? "SYN+ACK" : rst_mode ? "RST+" : open_mode ? "OPEN" : "SYN", use_dump?use_dump:use_iface,sigcnt,gencnt,file_cksum, argv[optind]?argv[optind]:"all"); if (use_cache) debug("[*] Accepting queries at socket %s (timeout: %d s).\n",use_cache,QUERY_TIMEOUT); if (find_masq) debug("[*] Masquerade detection enabled at threshold %d%%.\n",masq_thres); } pcap_setfilter(pt, &flt); if (write_dump) { if (!(dumper=pcap_dump_open(pt, write_dump))) { pcap_perror(pt,"pcap_dump_open"); exit(1); } } /* For p0f statistics */ if (ack_mode) operating_mode = 'A'; else if (rst_mode) operating_mode = 'R'; else if (open_mode) operating_mode = 'O'; else operating_mode = 'S'; #ifndef WIN32 if (set_user) { struct passwd* pw; if (geteuid()) fatal("only root can use -u.\n"); tzset(); pw = getpwnam(set_user); if (!pw) fatal("user %s not found.\n",set_user); if (use_cache && chown(use_cache,pw->pw_uid,pw->pw_gid)) debug("[!] Failed to set ownership of query socket."); if (chdir(pw->pw_dir)) pfatal(pw->pw_dir); if (chroot(pw->pw_dir)) pfatal("chroot"); chdir("/"); if (initgroups(pw->pw_name,pw->pw_gid)) pfatal("initgroups"); if (setgid(pw->pw_gid)) pfatal("setgid"); if (setuid(pw->pw_uid)) pfatal("setuid"); if (getegid() != pw->pw_gid || geteuid() != pw->pw_uid) fatal("failed to setuid/setgid to the desired UID/GID.\n"); } #endif /* !WIN32 */ if (go_daemon) { #ifndef WIN32 _s32 f; struct timeval tv; FILE* pid_fd; fflush(0); f = fork(); if (f<0) pfatal("fork() failed"); if (f) exit(0); dup2(1,2); close(0); chdir("/"); setsid(); signal(SIGHUP,SIG_IGN); if ((pid_fd = fopen(PID_PATH, "w"))) { fprintf(pid_fd, "%d", getpid()); fclose(pid_fd); } printf("--- p0f " VER " resuming operations at "); gettimeofday(&tv, (struct timezone*)0); put_date(tv); printf("---\n"); fflush(0); #else fatal("daemon mode is not support in the WIN32 version.\n"); #endif /* ^WIN32 */ } st_time = time(0); #ifndef WIN32 if (use_cache) { _s32 mfd,max; mfd = pcap_fileno(pt); max = 1 + (mfd > lsock ? mfd : lsock); while (1) { fd_set f,e; FD_ZERO(&f); FD_SET(mfd,&f); FD_SET(lsock,&f); FD_ZERO(&e); FD_SET(mfd,&e); FD_SET(lsock,&e); /* This is the neat way to do it; pcap timeouts are broken on many platforms, Linux always resumes recvfrom() on the raw socket, even with no SA_RESTART, it's a mess... select() is rather neutral. */ select(max,&f,0,&e,0); if (FD_ISSET(mfd, &f) || FD_ISSET(mfd,&e)) if (pcap_dispatch(pt,-1,(pcap_handler)&parse,0) < 0) break; if (FD_ISSET(lsock,&f)) { struct timeval tv; struct p0f_query q; _s32 c; if ((c=accept(lsock,0,0))<0) continue; FD_ZERO(&f); FD_SET(c,&f); tv.tv_sec = QUERY_TIMEOUT; tv.tv_usec = 0; if (select(c+1,&f,0,&f,&tv)>0) if (recv(c,&q,sizeof(q),MSG_NOSIGNAL) == sizeof(q)) p0f_handlequery(c,&q,port0_wild); shutdown(c,2); close(c); } if (FD_ISSET(lsock,&e)) fatal("Query socket error.\n"); } } else #endif /* !WIN32 */ pcap_loop(pt,-1,(pcap_handler)&parse,0); pcap_close(pt); if (dumper) pcap_dump_close(dumper); if (use_dump) debug("[+] End of input file.\n"); else fatal("Network is down.\n"); return 0; } p0f/p0f.fp0100644000175100017500000010044110472340235012137 0ustar lcamtufusers# # p0f - SYN fingerprints # ---------------------- # # .-------------------------------------------------------------------------. # | The purpose of this file is to cover signatures for incoming TCP/IP | # | connections (SYN packets). This is the default mode of operation for | # | p0f. This is also the biggest and most up-to-date set of signatures | # | shipped with this project. The file also contains a detailed discussion | # | of all metrics examined by p0f, and some practical notes on how to | # | add new signatures. | # `-------------------------------------------------------------------------' # # (C) Copyright 2000-2006 by Michal Zalewski # # Each line in this file specifies a single fingerprint. Please read the # information below carefully before attempting to append any signatures # reported by p0f as UNKNOWN to this file to avoid mistakes. Note that # this file is compatible only with the default operation mode, and not # with -R or -A options (SYN+ACK and RST+ modes). # # We use the following set metrics for fingerprinting: # # - Window size (WSS) - a highly OS dependent setting used for TCP/IP # performance control (max. amount of data to be sent without ACK). # Some systems use a fixed value for initial packets. On other # systems, it is a multiple of MSS or MTU (MSS+40). In some rare # cases, the value is just arbitrary. # # NEW SIGNATURE: if p0f reported a special value of 'Snn', the number # appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' # means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the # value of nn is not fixed (unlikely), just copy the Snn or Tnn token # literally. If you know this device has a simple stack and a fixed # MTU, you can however multiply S value by MSS, or T value by MSS+40, # and put it instead of Snn or Tnn. One system may exhibit several T # or S values. In some situations, this might be a source of some # additional information about the setup if you have some time to dig # thru the kernel sources; in some other cases, like Windows, there seem # to be a multitude of variants and WSS selection algorithms, but it's # rather difficult to find a pattern without having the source. # # If WSS looks like a regular fixed value (for example is a power of two), # or if you can confirm the value is fixed by looking at several # fingerprints, please quote it literaly. If there's no apparent pattern # in WSS chosen, you should consider wildcarding this value - but this # should be the last option. # # NOTE: Some NAT devices, such as Linux iptables with --set-mss, will # modify MSS, but not WSS. As a result, MSS is changed to reflect # the MTU of the NAT device, but WSS remains a multiple of the original # MSS. Fortunately for us, the source device would almost always be # hooked up to Ethernet. P0f handles it automatically for the original # MSS of 1460, by adding "NAT!" tag to the result. # # In certain configurations, Linux erratically (?) uses MTU from another # interface on the default gw interface. This only happens on systems with # two network interfaces. Thus, some Linux systems that do not go thru NAT, # but have multiple interfaces instead, will be also tagged this way. # # P0f recognizes and automatically wildcards WSS of 12345, as generated # by sendack and sendsyn utilities shipped with the program, when # reporting a new signature. See test/sendack.c and test/sendsyn.c for more # information about this. # # - Overall packet size - a function of all IP and TCP options and bugs. # While this is partly redundant in the real world, we record this value # to capture rare cases when there are IP options (which we do not currently # examine) or packet data past the headers. Both situations are rare. # # Packet size MAY be wildcarded, but the meaning of the wildcard is # very special, and means the packet must be larger than PACKET_BIG # (defined in config.h as 100). This is usually not necessary, except # for some really broken implementations in RST+ mode. For more information, # see p0fr.fp. P0f automatically wildcards big packets when reporting # new signatures. # # NEW SIGNATURE: Copy this value literally. # # - Initial TTL - We check the actual TTL of a received packet. It can't # be higher than the initial TTL, and also shouldn't be dramatically # lower (maximum distance is defined in config.h as 40 hops). # # NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. # You need to determine the initial TTL. The best way to do it is to # check the documentation for a remote system, or check its settings. # A fairly good method is to simply round the observed TTL up to # 32, 64, 128, or 255, but it should be noted that some obscure devices # might not use round TTLs (in particular, some shoddy appliances and # IRIX and Tru64 are known to use "original" initial TTL settings). If not # sure, use traceroute or mtr to see how far you are from the host. # # Note that -F option overrides this check if no signature can be found. # # - Don't fragment flag (DF) - some modern OSes set this to implement PMTU # discovery. Others do not bother. # # NEW SIGNATURE: Copy this value literally. Note: this setting is # sometimes cleared by firewalls and/or certain connectivity clients. # Try to find out what's the actual state for a given OS if you see both, # and add the right one. P0f will automatically detect a case when a # firewall removed the DF flag and will append "(firewall!)" suffix to # the signature, so if the DF version is the right one, don't add no-DF # variant, unless it has a different meaning. # # - Maximum segment size (MSS) - this setting is usually link-dependent. P0f # uses it to determine link type of the remote host. # # NEW SIGNATURE: Always wildcard this value, except for rare cases when # you have an appliance with a fixed value, know the system supports only # a very limited number of network interface types, or know the system # is using a value it pulled out of nowhere. I use specific unique MSS # to tell Google crawlbots from the rest of Linux population, for example. # # If a specific MSS/MTU is unique to a certain link type, be sure to # add it to mtu.h instead of creating several variants of each signature. # # - Window scaling (WSCALE) - this feature is used to scale WSS. # It extends the size of a TCP/IP window to 32 bits, of sorts. Some modern # systems implement this feature. # # NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set # to zero or other low value. There's usually no need to wildcard this # parameter. # # - Timestamp - some systems that implement timestamps set them to # zero in the initial SYN. This case is detected and handled appropriately. # # NEW SIGNATURE: Copy T or T0 option literally. # # - Selective ACK permitted - a flag set by systems that implement # selective ACK functionality, # # NEW SIGNATURE: copy S option literally. # # - NOP option - its presence, count and sequence is a useful OS-dependent # characteristic, # # NEW SIGNATURE: copy N options literally. # # - Other and unrecognized options (TTCP-related and such) - implemented by # some eccentric or very buggy TCP/IP stacks ;-), # # NEW SIGNATURE: copy ? options literally. # # - EOL option. Contrary to the popular belief, the presence of EOL # option is actually quite rare, most systems just NOP-pad to the # packet boundary. # # NEW SIGNATURE: copy E option literally. # # - The sequence of TCP all options mentioned above - this is very # specific to the implementation, # # NEW SIGNATURE: Copy the sequence literally. # # - Quirks. Some buggy stacks set certain values that should be zeroed in a # TCP packet to non-zero values. This has no effect as of today, but is # a valuable source of information. Some systems actually seem to leak # memory there. Other systems just exhibit harmful but very specific # behavior. This section captures all unusual yes-no properties not # related to the main and expected header layout. We detect the following: # # - Data past the headers. Neither SYN nor SYN+ACK packets are supposed # to carry any payload. If they do, we should take notice. The actual # payload is not examined, but will be displayed if use the -X option. # Note that payload is not unusual in RST+ mode (see p0fr.fp), very # rare otherwise. # # - Options past EOL. Some systems have some trailing data past EOL # in the options section of TCP/IP headers. P0f does not examine this # data as of today, simply detects its presence. If there is a # confirmed sizable population of systems that have data past EOL, it # might be a good idea to look at it. Until then, you have to recompile # p0f with DEBUG_EXTRAS set or use -x to display this data, # # - Zero IP ID. This again is a (mostly) harmless setting to use a fixed # IP ID for packets with DF set. Some systems reportedly use zero ID, # most OSes do not. There is a very slight probability of a false # positive when IP ID is "naturally" chosen to be zero on a system # that otherwise does set proper values, but the probability is # neglible (if it becomes a problem, recompile p0f with IGNORE_ZEROID # set in the sources). # # - IP options specified. Usually, packets do not have any IP options # set, but there can be some. Until there is a confirmed sizable # population of systems that do have IP options in a packet, p0f # does not examine those in detail, but it might change (use # DEBUG_EXTRAS or -x to display IP options if any found), # # - URG pointer value. SYN packets do not have URG flag set, so the # value in URG pointer in TCP header is ignored. Most systems set it # to zero, but some OSes (some versions of Windows, for example) do # not zero this field or even simply leak memory; the actual value is # not examined, because most cases seem to be just random garbage # (you can use DEBUG_EXTRAS or -x to report this information though); # see doc/win-memleak.txt for more information, # # - "Unused" field value. This should be always zero, but some systems # forget to clear it. This might result in some funny issues in the # future. P0f checks for non-zero value (and will display it if # DEBUG_EXTRAS is set, or you can use -x), # # - ACK number non-zero. ACK value in SYN packets with no ACK flag # is disregarded and is usually set to zero (just like with URG # pointer), but some systems forget to do it. The exact value is # not examined (but will be displayed with DEBUG_EXTRAS, or you can # use -x). Note that this is not an anomaly in SYN+ACK and RST+ modes, # # - Non-zero second timestamp. The initial SYN packet should have the # second timestamp always zeroed. SYN+ACK and RST+ may "legally" have # this quirk though, # # - Unusual flags. If, in addition to SYN (or SYN+ACK), there are some # auxilinary flags that do not modify the very meaning of a packet, # p0f records this (this can be URG, PUSH, or something else). # # Note: ECN flags (ECE and CWR) are ignored and denoted in a separate # way. ECN is never by default, because some systems can't handle it, # and it probably does not make much sense to include it in signatures # right now. # # - TCP option segment parsing problems. If p0f fails to decode options # because of a badly broken packet, it records this fact. # # There are several other quirks valid only in RST+ mode, see p0fr.fp for # more information. Those quirks are unheard of in SYN and SYN+ACK # modes. # # NEW SIGNATURE: Copy "quirks" section literally. # # We DO NOT use ToS for fingerprinting. While the original TCP/IP # fingerprinting research believed this value would be useful for this # purpose, it is not. The setting is way too often tweaked by network # devices. # # To wildcard MSS, WSS or WSCALE, replace it with '*'. You can also use a # modulo operator to match any values that divide by nnn - '%nnn' (and, # as stated above, WSS also supports special values Snn and Tnn). # # Fingerprint entry format: # # wwww:ttt:D:ss:OOO...:QQ:OS:Details # # wwww - window size (can be * or %nnn or Sxx or Txx) # "Snn" (multiple of MSS) and "Tnn" (multiple of MTU) are allowed. # ttt - initial TTL # D - don't fragment bit (0 - not set, 1 - set) # ss - overall SYN packet size (* has a special meaning) # OOO - option value and order specification (see below) # QQ - quirks list (see below) # OS - OS genre (Linux, Solaris, Windows) # details - OS description (2.0.27 on x86, etc) # # If OS genre starts with '*', p0f will not show distance, link type # and timestamp data. It is useful for userland TCP/IP stacks of # network scanners and so on, where many settings are randomized or # bogus. # # If OS genre starts with @, it denotes an approximate hit for a group # of operating systems (signature reporting still enabled in this case). # Use this feature at the end of this file to catch cases for which # you don't have a precise match, but can tell it's Windows or FreeBSD # or whatnot by looking at, say, flag layout alone. # # If OS genre starts with - (which can prefix @ or *), the entry is # not considered to be a real operating system (but userland stack # instead). It is important to mark all scanners and so on with -, # so that they are not used for masquerade detection (also add this # prefix for signatures of application-induced behavior, such as # increased window size with Opera browser). # # Option block description is a list of comma or space separated # options in the order they appear in the packet: # # N - NOP option # E - EOL option # Wnnn - window scaling option, value nnn (or * or %nnn) # Mnnn - maximum segment size option, value nnn (or * or %nnn) # S - selective ACK OK # T - timestamp # T0 - timestamp with zero value # ?n - unrecognized option number n. # # P0f can sometimes report ?nn among the options. This means it couldn't # recognize this option (option number nn). It's either a bug in p0f, or # a faulty TCP/IP stack, or, if the number is listed here: # # http://www.iana.org/assignments/tcp-parameters # # ...the stack might be simply quite exotic. # # To denote no TCP options, use a single '.'. # # Quirks section is usually an empty list ('.') of oddities or bugs of this # particular stack. List items are not separated in any way. Possible values: # # P - options past EOL, # Z - zero IP ID, # I - IP options specified, # U - urg pointer non-zero, # X - unused (x2) field non-zero, # A - ACK number non-zero, # T - non-zero second timestamp, # F - unusual flags (PUSH, URG, etc), # D - data payload, # ! - broken options segment. # # WARNING WARNING WARNING # ----------------------- # # Do not add a system X as OS Y just because NMAP says so. It is often # the case that X is a NAT firewall. While nmap is talking to the # device itself, p0f is fingerprinting the guy behind the firewall # instead. # # When in doubt, use common sense, don't add something that looks like # a completely different system as Linux or FreeBSD or LinkSys router. # Check DNS name, establish a connection to the remote host and look # at SYN+ACK (p0f -A -S should do) - does it look similar? # # Some users tweak their TCP/IP settings - enable or disable RFC1323, # RFC1644 or RFC2018 support, disable PMTU discovery, change MTU, initial # TTL and so on. Always compare a new rule to other fingerprints for # this system, and verify the system isn't "customized". It is OK to # add signature variants caused by commonly used software (PFs, security # packages, etc), but it makes no sense to try to add every single # possible /proc/sys/net/ipv4/* tweak on Linux or so. # # KEEP IN MIND: Some packet firewalls configured to normalize outgoing # traffic (OpenBSD pf with "scrub" enabled, for example) will, well, # normalize packets. Signatures will not correspond to the originating # system (and probably not quite to the firewall either). # # NOTE: Try to keep this file in some reasonable order, from most to # least likely systems. This will speed up operation. Also keep most # generic and broad rules near ehe end. # # Still decided to add signature? Let us know - mail a copy of your discovery # to lcamtuf@coredump.cx. You can help make p0f better, and I can help you # make your signature more accurate. # ########################## # Standard OS signatures # ########################## # ----------------- AIX --------------------- # AIX is first because its signatures are close to NetBSD, MacOS X and # Linux 2.0, but it uses a fairly rare MSSes, at least sometimes... # This is a shoddy hack, though. 45046:64:0:44:M*:.:AIX:4.3 16384:64:0:44:M512:.:AIX:4.3.2 and earlier 16384:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (1) 32768:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (2) 65535:64:0:60:M512,N,W%2,N,N,T:.:AIX:4.3.3-5.2 (3) 65535:64:0:64:M*,N,W1,N,N,T,N,N,S:.:AIX:5.3 ML1 # ----------------- Linux ------------------- S1:64:0:44:M*:A:Linux:1.2.x 512:64:0:44:M*:.:Linux:2.0.3x (1) 16384:64:0:44:M*:.:Linux:2.0.3x (2) # Endian snafu! Nelson says "ha-ha": 2:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (1) 64:64:0:44:M*:.:Linux:2.0.3x (MkLinux) on Mac (2) S4:64:1:60:M1360,S,T,N,W0:.:Linux:2.4 (Google crawlbot) S4:64:1:60:M1430,S,T,N,W0:.:Linux:2.4-2.6 (Google crawlbot) S2:64:1:60:M*,S,T,N,W0:.:Linux:2.4 (large MTU?) S3:64:1:60:M*,S,T,N,W0:.:Linux:2.4 (newer) S4:64:1:60:M*,S,T,N,W0:.:Linux:2.4-2.6 S3:64:1:60:M*,S,T,N,W1:.:Linux:2.6, seldom 2.4 (older, 1) S4:64:1:60:M*,S,T,N,W1:.:Linux:2.6, seldom 2.4 (older, 2) S3:64:1:60:M*,S,T,N,W2:.:Linux:2.6, seldom 2.4 (older, 3) S4:64:1:60:M*,S,T,N,W2:.:Linux:2.6, seldom 2.4 (older, 4) T4:64:1:60:M*,S,T,N,W2:.:Linux:2.6 (older, 5) S4:64:1:60:M*,S,T,N,W5:.:Linux:2.6 (newer, 1) S4:64:1:60:M*,S,T,N,W6:.:Linux:2.6 (newer, 2) S4:64:1:60:M*,S,T,N,W7:.:Linux:2.6 (newer, 3) T4:64:1:60:M*,S,T,N,W7:.:Linux:2.6 (newer, 4) S20:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (1) S22:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (2) S11:64:1:60:M*,S,T,N,W0:.:Linux:2.2 (3) # Popular cluster config scripts disable timestamps and # selective ACK: S4:64:1:48:M1460,N,W0:.:Linux:2.4 in cluster # This happens only over loopback, but let's make folks happy: 32767:64:1:60:M16396,S,T,N,W0:.:Linux:2.4 (loopback) 32767:64:1:60:M16396,S,T,N,W2:.:Linux:2.6 (newer, loopback) S8:64:1:60:M3884,S,T,N,W0:.:Linux:2.2 (loopback) # Opera visitors: 16384:64:1:60:M*,S,T,N,W0:.:-Linux:2.2 (Opera?) 32767:64:1:60:M*,S,T,N,W0:.:-Linux:2.4 (Opera?) # Some fairly common mods & oddities: S22:64:1:52:M*,N,N,S,N,W0:.:Linux:2.2 (tstamp-) S4:64:1:52:M*,N,N,S,N,W0:.:Linux:2.4 (tstamp-) S4:64:1:52:M*,N,N,S,N,W2:.:Linux:2.6 (tstamp-) S4:64:1:44:M*:.:Linux:2.6? (barebone, rare!) T4:64:1:60:M1412,S,T,N,W0:.:Linux:2.4 (rare!) # ----------------- FreeBSD ----------------- 16384:64:1:44:M*:.:FreeBSD:2.0-4.2 16384:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (1) 1024:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.4 (2) 57344:64:1:44:M*:.:FreeBSD:4.6-4.8 (RFC1323-) 57344:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.6-4.9 32768:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.8-5.1 (or MacOS X 10.2-10.3) 65535:64:1:60:M*,N,W0,N,N,T:.:FreeBSD:4.7-5.2 (or MacOS X 10.2-10.4) (1) 65535:64:1:60:M*,N,W1,N,N,T:.:FreeBSD:4.7-5.2 (or MacOS X 10.2-10.4) (2) 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1 (1) 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1 (2) 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1 (3) 65535:64:1:64:M*,N,N,S,N,W1,N,N,T:.:FreeBSD:5.3-5.4 65535:64:1:64:M*,N,W1,N,N,T,S,E:P:FreeBSD:6.x (1) 65535:64:1:64:M*,N,W0,N,N,T,S,E:P:FreeBSD:6.x (2) 65535:64:1:44:M*:Z:FreeBSD:5.2 (RFC1323-) # 16384:64:1:60:M*,N,N,N,N,N,N,T:.:FreeBSD:4.4 (tstamp-) # ----------------- NetBSD ------------------ 16384:64:0:60:M*,N,W0,N,N,T:.:NetBSD:1.3 65535:64:0:60:M*,N,W0,N,N,T0:.:-NetBSD:1.6 (Opera) 16384:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6 65535:64:1:60:M*,N,W1,N,N,T0:.:NetBSD:1.6W-current (DF) 65535:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6X (DF) 32768:64:1:60:M*,N,W0,N,N,T0:.:NetBSD:1.6Z or 2.0 (DF) 32768:64:1:64:M1416,N,W0,S,N,N,N,N,T0:.:NetBSD:2.0G (DF) 32768:64:1:64:M*,N,W0,S,N,N,N,N,T0:.:NetBSD:3.0 (DF) # ----------------- OpenBSD ----------------- 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.9 57344:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.3-3.4 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4 (scrub) 65535:64:1:64:M*,N,N,S,N,W0,N,N,T:.:-OpenBSD:3.0-3.4 (Opera?) 32768:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.7 # ----------------- Solaris ----------------- S17:64:1:64:N,W3,N,N,T0,N,N,S,M*:.:Solaris:8 (RFC1323 on) S17:64:1:48:N,N,S,M*:.:Solaris:8 (1) S17:255:1:44:M*:.:Solaris:2.5-7 (1) # Sometimes, just sometimes, Solaris feels like coming up with # rather arbitrary MSS values ;-) S6:255:1:44:M*:.:Solaris:2.5-7 (2) S23:64:1:48:N,N,S,M*:.:Solaris:8 (2) S34:64:1:48:M*,N,N,S:.:Solaris:9 S34:64:1:48:M*,N,N,N,N:.:Solaris:9 (no sack) S44:255:1:44:M*:.:Solaris:7 4096:64:0:44:M1460:.:SunOS:4.1.x S34:64:1:52:M*,N,W0,N,N,S:.:Solaris:10 (beta) 32850:64:1:64:M*,N,N,T,N,W1,N,N,S:.:Solaris:10 (1203?) 32850:64:1:64:M*,N,W1,N,N,T,N,N,S:.:Solaris:9.1 # ----------------- IRIX -------------------- 49152:60:0:44:M*:.:IRIX:6.2-6.4 61440:60:0:44:M*:.:IRIX:6.2-6.5 49152:60:0:52:M*,N,W2,N,N,S:.:IRIX:6.5 (RFC1323+) (1) 49152:60:0:52:M*,N,W3,N,N,S:.:IRIX:6.5 (RFC1323+) (2) 61440:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (1) 49152:60:0:48:M*,N,N,S:.:IRIX:6.5.12-6.5.21 (2) 49152:60:0:64:M*,N,W2,N,N,T,N,N,S:.:IRIX:6.5 IP27 # ----------------- Tru64 ------------------- # Tru64 and OpenVMS share the same stack on occassions. # Relax. 32768:60:1:48:M*,N,W0:.:Tru64:4.0 (or OS/2 Warp 4) 32768:60:0:48:M*,N,W0:.:Tru64:5.0 (or OpenVMS 7.x on Compaq 5.0 stack) 8192:60:0:44:M1460:.:Tru64:5.1 (no RFC1323) (or QNX 6) 61440:60:0:48:M*,N,W0:.:Tru64:v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack) # ----------------- OpenVMS ----------------- 6144:64:1:60:M*,N,W0,N,N,T:.:OpenVMS:7.2 (Multinet 4.3-4.4 stack) # ----------------- MacOS ------------------- S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic 16616:255:1:48:M*,W0,E:.:MacOS:7.3-8.6 (OTTCP) 16616:255:1:48:M*,N,N,N,E:.:MacOS:8.1-8.6 (OTTCP) 32768:255:1:48:M*,W0,N:.:MacOS:9.0-9.2 32768:255:1:48:M1380,N,N,N,N:.:MacOS:9.1 (OT 2.7.4) (1) 65535:255:1:48:M*,N,N,N,N:.:MacOS:9.1 (OT 2.7.4) (2) # ----------------- Windows ----------------- # Windows TCP/IP stack is a mess. For most recent XP, 2000 and # even 98, the pathlevel, not the actual OS version, is more # relevant to the signature. They share the same code, so it would # seem. Luckily for us, almost all Windows 9x boxes have an # awkward MSS of 536, which I use to tell one from another # in most difficult cases. 8192:32:1:44:M*:.:Windows:3.11 (Tucows) S44:64:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:95 8192:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:95b # There were so many tweaking tools and so many stack versions for # Windows 98 it is no longer possible to tell them from each other # without some very serious research. Until then, there's an insane # number of signatures, for your amusement: S44:32:1:48:M*,N,N,S:.:Windows:98 (low TTL) (1) 8192:32:1:48:M*,N,N,S:.:Windows:98 (low TTL) (2) %8192:64:1:48:M536,N,N,S:.:Windows:98 (13) %8192:128:1:48:M536,N,N,S:.:Windows:98 (15) S4:64:1:48:M*,N,N,S:.:Windows:98 (1) S6:64:1:48:M*,N,N,S:.:Windows:98 (2) S12:64:1:48:M*,N,N,S:.:Windows:98 (3 T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S:.:Windows:98 (16) 32767:64:1:48:M*,N,N,S:.:Windows:98 (4) 37300:64:1:48:M*,N,N,S:.:Windows:98 (5) 46080:64:1:52:M*,N,W3,N,N,S:.:Windows:98 (RFC1323+) 65535:64:1:44:M*:.:Windows:98 (no sack) S16:128:1:48:M*,N,N,S:.:Windows:98 (6) S16:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:Windows:98 (7) S26:128:1:48:M*,N,N,S:.:Windows:98 (8) T30:128:1:48:M*,N,N,S:.:Windows:98 (9) 32767:128:1:52:M*,N,W0,N,N,S:.:Windows:98 (10) 60352:128:1:48:M*,N,N,S:.:Windows:98 (11) 60352:128:1:64:M*,N,W2,N,N,T0,N,N,S:.:Windows:98 (12) # What's with 1414 on NT? T31:128:1:44:M1414:.:Windows:NT 4.0 SP6a (1) 64512:128:1:44:M1414:.:Windows:NT 4.0 SP6a (2) 8192:128:1:44:M*:.:Windows:NT 4.0 (older) # Windows XP and 2000. Most of the signatures that were # either dubious or non-specific (no service pack data) # were deleted and replaced with generics at the end. 65535:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1+ %8192:128:1:48:M*,N,N,S:.:Windows:2000 SP2+, XP SP1+ (seldom 98) S20:128:1:48:M*,N,N,S:.:Windows:SP3 S45:128:1:48:M*,N,N,S:.:Windows:2000 SP4, XP SP1+ (2) 40320:128:1:48:M*,N,N,S:.:Windows:2000 SP4 S6:128:1:48:M*,N,N,S:.:Windows:XP, 2000 SP2+ S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+ (1) S44:128:1:48:M*,N,N,S:.:Windows:XP SP1+, 2000 SP3 64512:128:1:48:M*,N,N,S:.:Windows:XP SP1+, 2000 SP3 (2) 32767:128:1:48:M*,N,N,S:.:Windows:XP SP1+, 2000 SP4 (3) # Windows 2003 & Vista 8192:128:1:52:M*,W8,N,N,N,S:.:Windows:Vista (beta) 32768:32:1:52:M1460,N,W0,N,N,S:.:Windows:2003 AS 65535:64:1:52:M1460,N,W2,N,N,S:.:Windows:2003 (1) 65535:64:1:48:M1460,N,N,S:.:Windows:2003 (2) # Odds, ends, mods: S52:128:1:48:M1260,N,N,S:.:Windows:XP/2000 via Cisco 65520:128:1:48:M*,N,N,S:.:Windows:XP bare-bone 16384:128:1:52:M536,N,W0,N,N,S:.:Windows:2000 w/ZoneAlarm? 2048:255:0:40:.:.:Windows:.NET Enterprise Server 44620:64:0:48:M*,N,N,S:.:Windows:ME no SP (?) S6:255:1:48:M536,N,N,S:.:Windows:95 winsock 2 32000:128:0:48:M*,N,N,S:.:Windows:XP w/Winroute? 16384:64:1:48:M1452,N,N,S:.:Windows:XP w/Sygate? (1) 17256:64:1:48:M1460,N,N,S:.:Windows:XP w/Sygate? (2) # No need to be more specific, it passes: *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) # ----------------- HP/UX ------------------- 32768:64:1:44:M*:.:HP-UX:B.10.20 32768:64:1:48:M*,W0,N:.:HP-UX:11.00-11.11 # Whoa. Hardcore WSS. 0:64:0:48:M*,W0,N:.:HP-UX:B.11.00 A (RFC1323+) # ----------------- RiscOS ------------------ 16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12:.:RISC OS:3.70-4.36 (inet 5.04) 12288:32:0:44:M536:.:RISC OS:3.70 inet 4.10 4096:64:1:56:M1460,N,N,T:T:RISC OS:3.70 freenet 2.00 # ----------------- BSD/OS ------------------ 8192:64:1:60:M1460,N,W0,N,N,T:.:BSD/OS:3.1-4.3 (or MacOS X 10.2) # ---------------- NetwonOS ----------------- 4096:64:0:44:M1420:.:NewtonOS:2.1 # ---------------- NeXTSTEP ----------------- S8:64:0:44:M512:.:NeXTSTEP:3.3 (1) S4:64:0:44:M1024:.:NeXTSTEP:3.3 (2) # ------------------ BeOS ------------------- 1024:255:0:48:M*,N,W0:.:BeOS:5.0-5.1 12288:255:0:44:M*:.:BeOS:5.0.x # ------------------ OS/400 ----------------- 8192:64:1:60:M1440,N,W0,N,N,T:.:OS/400:V4R4/R5 8192:64:0:44:M536:.:OS/400:V4R3/M0 4096:64:1:60:M1440,N,W0,N,N,T:.:OS/400:V4R5 + CF67032 28672:64:0:44:M1460:A:OS/390:? # ------------------ ULTRIX ----------------- 16384:64:0:40:.:.:ULTRIX:4.5 # ------------------- QNX ------------------- S16:64:0:44:M512:.:QNX:demodisk 16384:64:0:60:M1460,N,W0,N,N,T0:.:QNX:6.x # ------------------ Novell ----------------- 16384:128:1:44:M1460:.:Novell:NetWare 5.0 6144:128:1:44:M1460:.:Novell:IntranetWare 4.11 6144:128:1:44:M1368:.:Novell:BorderManager ? # According to rfp: 6144:128:1:52:M*,W0,N,S,N,N:.:Novell:Netware 6 SP3 # -------------- SCO UnixWare --------------- S3:64:1:60:M1460,N,W0,N,N,T:.:SCO:UnixWare 7.1 S17:64:1:60:M*,N,W0,N,N,T:.:SCO:UnixWare 7.1.x S23:64:1:44:M1380:.:SCO:OpenServer 5.0 # ------------------- DOS ------------------- 2048:255:0:44:M536:.:DOS:Arachne via WATTCP/1.05 T2:255:0:44:M984:.:DOS:Arachne via WATTCP/1.05 (eepro) 16383:64:0:44:M536:.:DOS:Unknown via WATTCP (epppd) # ------------------ OS/2 ------------------- S56:64:0:44:M512:.:OS/2:4 28672:64:0:44:M1460:.:OS/2:Warp 4.0 # ----------------- TOPS-20 ----------------- # Another hardcore MSS, one of the ACK leakers hunted down. 0:64:0:44:M1460:A:TOPS-20:version 7 # ------------------ AMIGA ------------------ S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack # ------------------ Minix ------------------ # Not quite sure. # 8192:210:0:44:M1460:X:@Minix:? # ------------------ Plan9 ------------------ 65535:255:0:48:M1460,W0,N:.:Plan9:edition 4 # ----------------- AMIGAOS ----------------- 16384:64:1:48:M1560,N,N,S:.:AMIGAOS:3.9 BB2 MiamiDX # ----------------- FreeMiNT ---------------- S44:255:0:44:M536:.:FreeMiNT:1 patch 16A (Atari) ########################################### # Appliance / embedded / other signatures # ########################################### # ---------- Firewalls / routers ------------ S12:64:1:44:M1460:.:@Checkpoint:(unknown 1) S12:64:1:48:N,N,S,M1460:.:@Checkpoint:(unknown 2) 4096:32:0:44:M1460:.:ExtremeWare:4.x S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3 S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026 S4:64:1:60:W0,N,S,T,M1460:.:FortiNet:FortiGate 50 8192:64:1:44:M1460:.:@Eagle:Secure Gateway # ------- Switches and other stuff ---------- 4128:255:0:44:M*:Z:Cisco:7200, Catalyst 3500, etc S8:255:0:44:M*:.:Cisco:12008 S4:255:0:44:M536:Z:Cisco:IOS 11.0 60352:128:1:64:M1460,N,W2,N,N,T,N,N,S:.:Alteon:ACEswitch 64512:128:1:44:M1370:.:Nortel:Contivity Client # ---------- Caches and whatnots ------------ 8190:255:0:44:M1428:.:Google:Wireless Transcoder (1) 8190:255:0:44:M1460:.:Google:Wireless Transcoder (2) 8192:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:5.2 16384:64:1:64:M1460,N,N,S,N,W0,N:.:NetCache:5.3 65535:64:1:64:M1460,N,N,S,N,W*,N,N,T:.:NetCache:5.3-5.5 (or FreeBSD 5.4) 20480:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:4.1 S44:64:1:64:M1460,N,N,S,N,W0,N,N,T:.:NetCache:5.5 32850:64:1:64:N,W1,N,N,T,N,N,S,M*:.:NetCache:Data OnTap 5.x 65535:64:0:60:M1460,N,W0,N,N,T:.:CacheFlow:CacheOS 4.1 8192:64:0:60:M1380,N,N,N,N,N,N,T:.:CacheFlow:CacheOS 1.1 S4:64:0:48:M1460,N,N,S:.:Cisco:Content Engine 27085:128:0:40:.:.:Dell:PowerApp cache (Linux-based) 65535:255:1:48:N,W1,M1460:.:Inktomi:crawler S1:255:1:60:M1460,S,T,N,W0:.:LookSmart:ZyBorg 16384:255:0:40:.:.:Proxyblocker:(what's this?) 65535:255:0:48:M*,N,N,S:.:Redline: T|X 2200 # ----------- Embedded systems -------------- S9:255:0:44:M536:.:PalmOS:Tungsten T3/C S5:255:0:44:M536:.:PalmOS:3/4 S4:255:0:44:M536:.:PalmOS:3.5 2948:255:0:44:M536:.:PalmOS:3.5.3 (Handera) S29:255:0:44:M536:.:PalmOS:5.0 16384:255:0:44:M1398:.:PalmOS:5.2 (Clie) S14:255:0:44:M1350:.:PalmOS:5.2.1 (Treo) 16384:255:0:44:M1400:.:PalmOS:5.2 (Sony) S23:64:1:64:N,W1,N,N,T,N,N,S,M1460:.:SymbianOS:7 8192:255:0:44:M1460:.:SymbianOS:6048 (Nokia 7650?) 8192:255:0:44:M536:.:SymbianOS:(Nokia 9210?) S22:64:1:56:M1460,T,S:.:SymbianOS:? (SE P800?) S36:64:1:56:M1360,T,S:.:SymbianOS:60xx (Nokia 6600?) S36:64:1:60:M1360,T,S,W0,E:.:SymbianOS:60xx 32768:32:1:44:M1460:.:Windows:CE 3 # Perhaps S4? 5840:64:1:60:M1452,S,T,N,W1:.:Zaurus:3.10 32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S:.:PocketPC:2002 S1:255:0:44:M346:.:Contiki:1.1-rc0 4096:128:0:44:M1460:.:Sega:Dreamcast Dreamkey 3.0 T5:64:0:44:M536:.:Sega:Dreamcast HKT-3020 (browser disc 51027) S22:64:1:44:M1460:.:Sony:Playstation 2 (SOCOM?) S12:64:0:44:M1452:.:AXIS:Printer Server 5600 v5.64 3100:32:1:44:M1460:.:Windows:CE 2.0 #################### # Fancy signatures # #################### 1024:64:0:40:.:.:-*NMAP:syn scan (1) 2048:64:0:40:.:.:-*NMAP:syn scan (2) 3072:64:0:40:.:.:-*NMAP:syn scan (3) 4096:64:0:40:.:.:-*NMAP:syn scan (4) 1024:64:0:40:.:A:-*NMAP:TCP sweep probe (1) 2048:64:0:40:.:A:-*NMAP:TCP sweep probe (2) 3072:64:0:40:.:A:-*NMAP:TCP sweep probe (3) 4096:64:0:40:.:A:-*NMAP:TCP sweep probe (4) 1024:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (1) 2048:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (2) 3072:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (3) 4096:64:0:60:W10,N,M265,T,E:P:-*NMAP:OS detection probe (4) 1024:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (1) 2048:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (2) 3072:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (3) 4096:64:0:60:W10,N,M265,T,E:PF:-*NMAP:OS detection probe w/flags (4) 32767:64:0:40:.:.:-*NAST:syn scan 12345:255:0:40:.:A:-p0f:sendsyn utility # UFO - see tmp/*: 56922:128:0:40:.:A:-@Mysterious:port scanner (?) 5792:64:1:60:M1460,S,T,N,W0:T:-@Mysterious:NAT device (2nd tstamp) S12:128:1:48:M1460,E:P:@Mysterious:Chello proxy (?) S23:64:1:64:N,W1,N,N,T,N,N,S,M1380:.:@Mysterious:GPRS gateway (?) ##################################### # Generic signatures - just in case # ##################################### *:128:1:52:M*,N,W0,N,N,S:.:@Windows:XP/2000 (RFC1323+, w, tstamp-) *:128:1:52:M*,N,W*,N,N,S:.:@Windows:XP/2000 (RFC1323+, w+, tstamp-) *:128:1:52:M*,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323+, w-, tstamp+) *:128:1:64:M*,N,W0,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323+, w, tstamp+) *:128:1:64:M*,N,W*,N,N,T0,N,N,S:.:@Windows:XP/2000 (RFC1323+, w+, tstamp+) *:128:1:48:M536,N,N,S:.:@Windows:98 *:128:1:48:M*,N,N,S:.:@Windows:XP/2000 p0f/p0fa.fp0100644000175100017500000001654210471203041012300 0ustar lcamtufusers# # p0f - SYN+ACK fingerprints # -------------------------- # # .-------------------------------------------------------------------------. # | The purpose of this file is to cover signatures for outgoing TCP/IP | # | connections (SYN+ACK packets). This mode of operation can be enabled | # | with -A option. Please refer to p0f.fp for information on the metrics | # | used to create a signature, and for a guide on adding new entries to | # | those files. This database is somewhat neglected, and is looking for a | # | caring maintainer. | # `-------------------------------------------------------------------------' # # (C) Copyright 2000-2006 by Michal Zalewski # # Plenty of signatures contributed in bulk by rain forest puppy, Paul Woo and # Michael Bauer. # # Submit all additions to the authors. Read p0f.fp before adding any # signatures. Run p0f -A -C after making any modifications. This file is # NOT compatible with SYN, RST+, or stray ACK modes. Use only with -A option. # # Feel like contributing? You can run p0f -A -K, then test/tryid -iR nnn... # # IMPORTANT INFORMATION ABOUT THE INTERDEPENDENCY OF SYNs AND SYN+ACKs # -------------------------------------------------------------------- # # Some systems would have different SYN+ACK fingerprints depending on # the system that sent SYN. More specifically, RFC1323, RFC2018 and # RFC1644 extensions sometimes show up only if SYN had them enabled. # # Also, some silly systems may copy WSS from the SYN packet you've sent, # in which case, you need to wildcard the value. Use test/sendsyn.c, which # uses a distinct WSS of 12345, to test for this condition if unsure. # # IMPORTANT INFORMATION ABOUT DIFFERENCES IN COMPARISON TO p0f.fp: # ---------------------------------------------------------------- # # - 'A' quirk would be present on almost every signature here. ACK number # is unusual for SYN packets, but is a commonplace in SYN+ACK packets, # of course. It is still possible to have a signature without 'A', when # the ACK flag is present but the value is zero - this, however, is # very uncommon. # # - 'T' quirk would show up on almost all signatures for systems implementing # RFC1323. The second timestamp is only unusual for SYN packets. SYN+ACK # are expected to have it set. # ########################## # Standard OS signatures # ########################## # ---------------- Linux ------------------- 32736:64:0:44:M*:A:Linux:2.0 S22:64:1:60:M*,S,T,N,W0:AT:Linux:2.2 S22:64:1:52:M*,N,N,S,N,W0:A:Linux:2.2 w/o timestamps 5792:64:1:60:M*,S,T,N,W0:AT:Linux:older 2.4 5792:64:1:60:M*,S,T,N,W0:ZAT:Linux:recent 2.4 (1) S4:64:1:44:M*:ZA:Linux:recent 2.4 (2) 5792:64:1:44:M*:ZA:Linux:recent 2.4 (3) S4:64:1:52:M*,N,N,S,N,W0:ZA:Linux:2.4 w/o timestamps # --------------- Windows ------------------ 65535:128:1:64:M*,N,W0,N,N,T0,N,N,S:A:Windows:2000 SP4 S44:128:1:64:M*,N,W0,N,N,T0,N,N,S:A:Windows:XP SP1 S12:128:1:64:M*,N,W0,N,N,T0,N,N,S:A:Windows:2000 (SP1+) S6:128:1:44:M*:A:Windows:NT 4.0 SP1+ 65535:128:1:48:M*,N,N,S:A:Windows:98 (SE) 65535:128:1:44:M*:A:Windows:2000 (1) 16616:128:1:44:M*:A:Windows:2003 16384:128:1:44:M*:A:Windows:2000 (2) S16:128:1:44:M*:A:Windows:2000 (3) # ------------------- OpenBSD -------------- 17376:64:1:64:M*,N,N,S,N,W0,N,N,T:AT:OpenBSD:3.3 # ------------------- NetBSD ---------------- 16384:64:0:60:M*,N,W0,N,N,T0:AT:NetBSD:1.6 # ----------------- HP/UX ------------------ 32768:64:1:44:M*:A:HPUX:10.20 # ----------------- Tru64 ------------------ S23:60:0:48:M*,N,W0:A:Tru64:5.0 (1) 65535:64:0:44:M*:A:Tru64:5.0 (2) # ----------------- Novell ----------------- 6144:128:1:52:M*,W0,N,S,N,N:A:Novell:Netware 6.0 (SP3) 32768:128:1:44:M*:A:Novell:Netware 5.1 # ------------------ IRIX ------------------ 60816:60:1:60:M*,N,W0,N,N,T:AT:IRIX:6.5.0 # ----------------- Solaris ---------------- 49232:64:1:64:N,N,T,M*,N,W0,N,N,S:AT:Solaris:9 (1) S1:255:1:60:N,N,T,N,W0,M*:AT:Solaris:7 24656:64:1:44:M*:A:Solaris:8 33304:64:1:60:N,N,T,M*,N,W1:AT:Solaris:9 (2) # ----------------- FreeBSD ---------------- 65535:64:1:60:M*,N,W1,N,N,T:AT:FreeBSD:5.0 57344:64:1:44:M*:A:FreeBSD:4.6-4.8 65535:64:1:44:M*:A:FreeBSD:4.4 57344:64:1:48:M1460,N,W0:A:FreeBSD:4.6-4.8 (wscale) 57344:64:1:60:M1460,N,W0,N,N,T:AT:FreeBSD:4.6-4.8 (RFC1323) # ------------------- AIX ------------------ S17:255:1:44:M536:A:AIX:4.2 S12:64:0:44:M1460:A:AIX:5.2 ML04 (1) S42:64:0:44:M1460:A:AIX:5.2 ML04 (2) # ------------------ BSD/OS ---------------- S6:64:1:60:M1460,N,W0,N,N,T:AT:BSD/OS:4.0.x # ------------------ OS/390 ---------------- 2048:64:0:44:M1460:A:OS/390:? # ------------------ Novell ---------------- 6144:128:1:44:M1400:A:Novell:iChain 2.2 # ------------------ MacOS ----------------- 33304:64:1:60:M*,N,W0,N,N,T:AT:MacOS:X 10.2.6 ################################################################# # Contributed by Ryan Kruse - trial run # ################################################################# # S4:255:0:44:M1024:A:Cisco:LocalDirector # 1024:255:0:44:M536:A:Cisco,3COM,Nortel:CatIOS,SuperStack,BayStack # S16:64:0:44:M512:A:Nortel:Contivity # 8192:64:0:44:M1460:A:Cisco,Nortel,SonicWall,Tasman:Aironet,BayStack Switch,Soho,1200 # 4096:255:0:44:M1460:A:Cisco:PIX,CatOS # 8192:128:0:44:M1460:A:Cisco:VPN Concentrator # 8192:128:0:60:M1460,N,W0,N,N,T:AT:Cisco:VPN Concentrator # 4096:32:0:44:M1460:A:Cisco,3COM,Extreme,Nortel:Catalyst Switch CatOS,CoreBuilder,Summit,Passport # S4:255:0:44:M536:ZA:Cisco:IOS # 1024:32:0:44:M1480:UA:Nortel:BayStack Switch # 4096:60:0:44:M1460:A:Adtran:NetVanta # 4096:64:0:44:M1008:A:Adtran:TSU # S4:32:0:44:M1024:A:Alcatel:Switch # S8:255:0:44:M536:ZA:Cisco:IOS # 50:255:0:44:M536:ZA:Cisco:CatIOS # 512:64:0:40:.:A:Dell:Switch # 4096:64:0:40:.:A:Enterasys:Vertical Horizon Switch # 17640:64:1:44:M1460:A:F5,Juniper,RiverStone:BigIP,Juniper OS,Router 7.0+ # 16384:64:0:44:M1460:A:Foundry,SonicWall:BigIron,TZ # 4096:64:0:44:M1452:A:HP:ProCurve Switch # 1024:64:0:44:M1260:A:Marconi:ES # 10240:30:0:44:M1460:A:Milan:Switch # 4096:64:0:44:M1380:A:NetScreen:Firewall # S32:64:0:44:M512:A:Nokia:CheckPoint # 1024:64:0:44:M536:A:Nortel:BayStack Switch # 4128:255:0:44:M*:ZA:Cisco:IOS # 1024:16:0:44:M536:A:Nortel:BayStack Switch # 1024:30:0:44:M1480:A:Nortel:BayStack Switch # S4:64:0:44:M1460:A:Symbol:Spectrum Access Point # S2:255:0:44:M512:A:ZyXEL:Prestige # S16:255:0:44:M1024:A:ZyXEL:ZyAI ########################################### # Appliance / embedded / other signatures # ########################################### 16384:64:1:44:M1460:A:F5:BigIP LB 4.1.x (sometimes FreeBSD) 4128:255:0:44:M*:ZA:Cisco:Catalyst 2900 12.0(5) 4096:60:0:44:M*:A:Brother:HL-1270N S1:30:0:44:M1730:A:Cyclades:PR3000 8192:64:1:44:M1460:A:NetApp:Data OnTap 6.x 5792:64:1:60:W0,N,N,N,T,M1460:ZAT:FortiNet:FortiGate 50 S1:64:1:44:M1460:A:NetCache:5.3.1 S1:64:0:44:M512:A:Printer:controller (?) 4096:128:0:40:.:A:Sequent:DYNIX 4.2.x S16:64:0:44:M512:A:3Com:NBX PBX (BSD/OS 2.1) 16000:64:0:44:M1442:A:CastleNet:DSL router S2:64:0:44:M32728:A:D-Link:DSL-500 S4:60:0:44:M1460:A:HP:JetDirect A.05.32 8576:64:1:44:M*:A:Raptor:firewall S12:64:1:44:M1400:A:Cequrux Firewall:4.x 2048:255:0:44:M1400:A:Netgear:MR814 16384:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A:Akamai:??? (1) 16384:128:0:60:M1460,N,W0,N,N,T0:A:Akamai:??? (2) 8190:255:0:44:M1452:A:Citrix:Netscaler 6.1 # Whatever they run. EOL boys... S6:128:1:48:M1460,E:PA:@Slashdot:or BusinessWeek (???) p0f/p0fr.fp0100644000175100017500000002027610404100414012314 0ustar lcamtufusers# # p0f - RST+ signatures # --------------------- # # .-------------------------------------------------------------------------. # | The purpose of this file is to cover signatures for reset packets | # | (RST and RST+ACK). This mode of operation can be enabled with -A option | # | and is considered to be least accurate. Please refer to p0f.fp for more | # | information on the metrics used and for a guide on adding new entries | # | to this file. This database is looking for a caring maintainer. | # `-------------------------------------------------------------------------' # # (C) Copyright 2000-2006 by Michal Zalewski # # Submit all additions to the authors. Read p0f.fp before adding any # signatures. Run p0f -R -C after making any modifications. This file is # NOT compatible with SYN, SYN+ACK, or stray ACK modes. Use only with -R # option. # # IMPORTANT INFORMATION ABOUT THE INTERDEPENDENCY OF SYNs AND RST+ACKs # -------------------------------------------------------------------- # # Some silly systems may copy WSS from the SYN packet you've sent, # in which case, you need to wildcard the value. Use test/sendsyn.c for # "connection refused" and test/sendack.c for "connection dropped" signatures # - both tools use a distinct WSS of 12345, which is an easy way to tell # if WSS should be wildcarded. # # IMPORTANT INFORMATION ABOUT COMMON IMPLEMENTATION FLAWS # ------------------------------------------------------- # # There are several types of RST packets you will surely encounter. # Some systems, including most reputable ones, are severily brain-damaged # and generate some illegal combinations from time to time. This is WAY # more common than with other packet types, because a broken RST does not # have any immediately noticable consequences; besides, the RFC793 is fairly # difficult to comprehend when it comes to this type of responses. # # P0f will give you a hint on new RST signatures, but it is your duty to # diagnose the problem and append the proper description when adding the # signature. Below is a list of valid and invalid states: # # - "Connection refused" message: this is a RST+ACK packet, SEQ number # set to zero, ACK number non-zero. This is a valid response and # is denoted by p0f as "refused" (quirk combination: K, 0, A). # # There are some very cases when this is incorrectly sent in response # to an unexpected ACK packet. # # - Illegal combination: RST+ACK packet, SEQ number set to zero, ACK # number zero. This is denoted by p0f as "invalid-K0" (quirk combination: # K and 0, no A). # # - Illegal combination: RST+ACK, SEQ number non-zero, ACK number zero # or non-zero. This is denoted by p0f as "invalid-K" and # "invalid-KA", respectively (quirk combinations, K, sometimes A, no 0). # # This combination is frequently generated by Cisco routers in certain # configurations in response to ACK (!). Brain dead, by all means, and # usually a result of (incorrectly) setting ACK flag on a valid RST packet. # # - "Connection dropped": RST, sequence number non-zero, ACK zero or # non-zero. This is denoted as "dropped" and "dropped 2" respectively # (quirk combinations: no K, sometimes A, no 0). While the ACK value should # be zeroed, it is not strictly against the RFC, and some systems either # leak memory there or set it to the value of SEQ. # # The latter variant, with non-zero ACK, is particularly common on # Windows. # # - Ilegal combination: RST, SEQ number zero, ACK zero or non-zero. # Denoted as "invalid-0" and "invalid-0A". Obviously incorrect, and # will not have the desired effect. # # Ok. That's it. RFC793 does not get much respect nowadays. # # IMPORTANT INFORMATION ABOUT DIFFERENCES IN COMPARISON TO p0f.fp: # ---------------------------------------------------------------- # # - Packet size may be wildcarded. The meaning of wildcard is, however, # hardcoded as 'size > PACKET_BIG' (defined as 100 in config.h). This is # because some stupid devices (including Ciscos) tend to send back RST # packets quoting anything you have sent them in ACK packet previously. # Use sparingly, only if -X confirms the device actually bounces back # whatever you send. # # - A new quirk, 'K', is introduced to denote RST+ACK packets (as opposed # to plain RST). This quirk is only compatible with this mode. # # - A new quirk, 'Q', is used to denote SEQ number equal to ACK number. # This happens from time to time in RST and RST+ACK packets, but # is practically unheard of in other modes. # # - A new quirk, '0', is used to denote packets with SEQ number set to 0. # This happens on some RSTs, and is once again unheard of in other modes. # # - 'D' quirk is not a bug; some devices send verbose text messages # describing why a connection got dropped; it's actually suggested # by RFC1122. Of course, some systems have their own standards, and # put all kinds of crap in their RST responses (including FreeBSD and # Cisco). Use -X to examine those values. # # - 'A' and 'T' quirks are not an anomaly in certain cases for the reasons # described in p0fa.fp. # ################################ # Connection refused - RST+ACK # ################################ 0:255:0:40:.:K0A:Linux:2.0/2.2 (refused) 0:64:1:40:.:K0A:FreeBSD:4.8 (refused) 0:64:1:40:.:K0ZA:Linux:recent 2.4 (refused) 0:128:0:40:.:K0A:Windows:XP/2000 (refused) 0:128:0:40:.:K0UA:-Windows:XP/2000 while browsing (refused) ###################################### # Connection dropped / timeout - RST # ###################################### 0:64:1:40:.:.:FreeBSD:4.8 (dropped) 0:255:0:40:.:.:Linux:2.0/2.2 or IOS 12.x (dropped) 0:64:1:40:.:Z:Linux:recent 2.4 (dropped) 0:255:1:40:.:Z:Linux:early 2.4 (dropped) 0:32:0:40:.:.:Xylan:OmniSwitch / Linksys WAP11 AP (dropped) 0:64:1:40:.:U:NetIron:load balancer (dropped) 0:128:1:40:.:QA:Windows:XP/2000 (dropped 2) 0:128:1:40:.:A:-Windows:XP/2000 while browsing (1) (dropped 2) 0:128:1:40:.:QUA:-Windows:XP/2000 while browsing (2) (dropped 2) 0:128:1:40:.:UA:-Windows:XP/2000 while browsing a lot (dropped 2) 0:128:1:40:.:.:@Windows:98 (?) (dropped) 0:64:0:40:.:A:Ascend:TAOS or BayTech (dropped 2) *:255:0:40:.:QA:Cisco:LocalDirector (dropped 2) 0:64:1:40:.:A:Hasbani:WindWeb (dropped 2) S23:255:1:40:.:.:Solaris:2.5 (dropped) ####################################################### # Connection dropped / timeout - RST with description # ####################################################### 0:255:1:58:.:D:MacOS:9.x "No TCP/No listener" (seldom SunOS 5.x) (dropped) 0:255:1:53:.:D:MacOS:8.5 "no tcp, reset" (dropped) 0:255:1:65:.:D:MacOS:X "tcp_close, during connect" (dropped) 0:255:1:54:.:D:MacOS:X "tcp_disconnect" (dropped) 0:255:1:62:.:D:HP/UX:? "tcp_fin_wait_2_timeout" (dropped) 32768:255:1:54:.:D:MacOS:8.5 "tcp_disconnect" (dropped) 0:255:1:63:.:D:@Unknown: "Go away" device (dropped) 0:255:0:62:.:D:SunOS:5.x "new data when detached" (1) (dropped) 32768:255:1:62:.:D:SunOS:5.x "new data when detached" (2) (dropped) 0:255:1:67:.:D:SunOS:5.x "tcp_lift_anchor, can't wait" (dropped) 0:255:0:46:.:D:HP/UX:11.00 "No TCP" (dropped) # More obscure ones: # 648:255:1:54:.:D:MacOS:??? "tcp_disconnect" (dropped) # 0:45:1:53:.:D:MacOS:7.x "no tcp, reset" (dropped) ############################################## # Connection dropped / timeout - broken RSTs # ############################################## S12:255:1:58:.:KAD:Solaris:2.x "tcp_disconnect" (dropped, lame) S43:64:1:40:.:KA:AOL:proxy (dropped, lame) *:64:1:40:.:KA:FreeBSD:4.8 (dropped, lame) *:64:1:52:N,N,T:KAT:Linux:2.4 (?) (dropped, lame) 0:255:0:40:.:KAF:3Com:SuperStack II (dropped, lame) *:255:0:40:.:KA:Intel:Netport print server (dropped, lame) *:150:0:40:.:KA:Linksys:BEF router (dropped, lame) *:32:0:44:.:KZD:@NetWare:??? "ehnc" (dropped, lame) 0:64:0:40:.:KQ0:BayTech:RPC-3 telnet host (dropped, lame) ############################################# # Connection dropped / timeout - extra data # ############################################# *:255:0:*:.:KAD:Cisco:IOS/PIX NAT + data (1) (dropped, lame) 0:255:0:*:.:D:Windows:NT 4.0 SP6a + data (dropped) 0:255:0:*:.:K0AD:Isolation:Infocrypt accelerator + data (dropped, lame) *:255:0:*:.:AD:Cisco:IOS/PIX NAT + data (2) (dropped) *:64:1:*:N,N,T:KATD:Linux:2.4 (?) + data (dropped, lame) *:64:1:*:.:KAD:FreeBSD:4.8 + data (dropped, lame) p0f/p0frep0100755000175100017500000000265710404100422012242 0ustar lcamtufusers#!/bin/sh # # p0frep - trivial reporting script for p0f logfiles # -------------------------------------------------- # # Copyright 2002-2006 by Michal Zalewski # echo "p0frep: p0f v2 log analyzer by " if [ $# -lt 2 ]; then cat >/dev/stderr </dev/stderr exit 1 fi if [ "$2" = "system" ]; then cat "$1" | awk -F'> ' '{print $2}NF==1{print $1}' | grep -F ' - ' | awk '{print "^" $0}' | grep -F "^$3" | \ awk '{print $3 " " $1}' | grep "^$4" | awk -F: '{print $1}' | \ sed 's/\^//g' | sort | uniq -c elif [ "$2" = "addr" ]; then cat "$1" | awk -F'> ' '{print $2}NF==1{print $1}' | grep -F ' - ' | awk '{print "^" $0}' | grep -F "^$3" | \ awk '{print $3 " " $1}' | grep "^$4" | awk -F: '{print $1}' | \ sed 's/\^//g' | awk '{print $2 " " $1}' | sort | uniq -c else echo "Second parameter (sort order) mst be 'system' or 'addr'." >/dev/stderr exit 1 fi exit 0 p0f/tcp.h0100644000175100017500000000313310404100427012052 0ustar lcamtufusers/* p0f - portable TCP/IP headers ----------------------------- Well. Copyright (C) 2003-2006 by Michal Zalewski */ #ifndef _HAVE_TCP_H #define _HAVE_TCP_H #include "types.h" #define TCPOPT_EOL 0 /* End of options */ #define TCPOPT_NOP 1 /* Nothing */ #define TCPOPT_MAXSEG 2 /* MSS */ #define TCPOPT_WSCALE 3 /* Window scaling */ #define TCPOPT_SACKOK 4 /* Selective ACK permitted */ #define TCPOPT_TIMESTAMP 8 /* Stamp out timestamping! */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 #define TH_PUSH 0x08 #define TH_ACK 0x10 #define TH_URG 0x20 /* Stupid ECN flags: */ #define TH_ECE 0x40 #define TH_CWR 0x80 struct ip_header { _u8 ihl, /* IHL */ tos; /* type of service */ _u16 tot_len, /* total length */ id, /* identification */ off; /* fragment offset + DF/MF */ _u8 ttl, /* time to live */ proto; /* protocol */ _u16 cksum; /* checksum */ _u32 saddr, /* source */ daddr; /* destination */ }; struct tcp_header { _u16 sport, /* source port */ dport; /* destination port */ _u32 seq, /* sequence number */ ack; /* ack number */ #if BYTE_ORDER == LITTLE_ENDIAN _u8 _x2:4, /* unused */ doff:4; /* data offset */ #else /* BYTE_ORDER == BIG_ENDIAN */ _u8 doff:4, /* data offset */ _x2:4; /* unused */ #endif _u8 flags; /* flags, d'oh */ _u16 win; /* wss */ _u16 cksum; /* checksum */ _u16 urg; /* urgent pointer */ }; #endif /* ! _HAVE_TCP_H */ p0f/test/0040755000175100017500000000000010472337725012117 5ustar lcamtufusersp0f/test/p0fq.c0100644000175100017500000000544510472323475013133 0ustar lcamtufusers/* p0fq - sample p0f query interface --------------------------------- Just to show how things should be done, and perhaps to provide a truly ineffective way of querying p0f from shell scripts and such. If you want to query p0f from a production application, just implement the same functionality in your code. It's perhaps 10 lines. Copyright (C) 2003-2006 by Michal Zalewski */ #include #include #include #include #include #include #include #include #include #include #include #include "../types.h" #include "../p0f-query.h" #define debug(x...) fprintf(stderr,x) #define fatal(x...) do { debug("[-] ERROR: " x); exit(2); } while (0) #define pfatal(x) do { debug("[-] ERROR: "); perror(x); exit(2); } while (0) int main(int argc,char** argv) { struct sockaddr_un x; struct p0f_query p; struct p0f_response r; _u32 s,d,sp,dp; _s32 sock; if (argc != 6) { debug("Usage: %s p0f_socket src_ip src_port dst_ip dst_port\n", argv[0]); exit(1); } s = inet_addr(argv[2]); sp = atoi(argv[3]); d = inet_addr(argv[4]); dp = atoi(argv[5]); if (!sp || !dp || s == INADDR_NONE || d == INADDR_NONE) fatal("Bad IP/port values.\n"); sock = socket(PF_UNIX,SOCK_STREAM,0); if (sock < 0) pfatal("socket"); memset(&x,0,sizeof(x)); x.sun_family=AF_UNIX; strncpy(x.sun_path,argv[1],63); if (connect(sock,(struct sockaddr*)&x,sizeof(x))) pfatal(argv[1]); p.magic = QUERY_MAGIC; p.id = 0x12345678; p.type = QTYPE_FINGERPRINT; p.src_ad = s; p.dst_ad = d; p.src_port = sp; p.dst_port = dp; if (write(sock,&p,sizeof(p)) != sizeof(p)) fatal("Socket write error (timeout?).\n"); if (read(sock,&r,sizeof(r)) != sizeof(r)) fatal("Response read error (timeout?).\n"); if (r.magic != QUERY_MAGIC) fatal("Bad response magic.\n"); if (r.type == RESP_BADQUERY) fatal("P0f did not honor our query.\n"); if (r.type == RESP_NOMATCH) { printf("This connection is not (no longer?) in the cache.\n"); exit(3); } if (!r.genre[0]) { printf("Genre and OS details not recognized.\n"); } else { printf("Genre : %s\n",r.genre); printf("Details : %s\n",r.detail); if (r.dist != -1) printf("Distance : %d hops\n",r.dist); } if (r.link[0]) printf("Link : %s\n",r.link); if (r.tos[0]) printf("Service : %s\n",r.tos); if (r.uptime != -1) printf("Uptime : %d hrs\n",r.uptime); if (r.score != NO_SCORE) printf("M-Score : %d%% (flags %x).\n",r.score,r.mflags); if (r.fw) printf("The host is behind a firewall.\n"); if (r.nat) printf("The host is behind NAT or such.\n"); shutdown(sock,2); close(sock); return 0; } p0f/test/sendack.c0100644000175100017500000000622010404100133013640 0ustar lcamtufusers/* sendack - RST trigger --------------------- This is a trivial code to send a stray ACK packet to a remote host. The main purpose of this is to gather new RST ("connection dropped") signatures quickly, but you can also use it for silent active fingerprinting when you can't or don't want to use -A mode. THIS PROGRAM IS NOT SUITABLE FOR GATHERING "Connection refused" SIGNATURES. Run p0f in the background in -R mode, then run sendack, observe results, if any. This code uses a distinct WSS of 12345. If you see it in the signature returned by p0f, you need to wildcard the value (p0f does the first step for you), as it appears to be dependent on the original packet and may vary on the other party's stack. Linux code, may not work on systems that use different mechanism to access raw sockets. Copyright (C) 2003-2006 by Michal Zalewski */ #include #include #include #include #include #include #include #include #include #include #include #include #include "../types.h" #define fatal(x) do { perror(x); exit(1); } while (0) static _u8 synpacket[] = { /* IP HEADER */ /* IHL */ 0x45, /* ToS */ 0x00, /* totlen */ 0x00, 0x28, /* ID */ 0x00, 0x00, /* offset */ 0x00, 0x00, /* TTL */ 0xFF, /* proto */ 0x06, /* cksum */ 0x00, 0x00, /* saddr */ 0, 0, 0, 0, /* src: [12] */ /* daddr */ 0, 0, 0, 0, /* dst: [16] */ /* TCP HEADER - [20] */ /* sport */ 0xCA, 0xFE, /* dport */ 0, 0, /* dp: [22] */ /* SEQ */ 0x0D, 0xEF, 0xAC, 0xED, /* ACK */ 0xDE, 0xAD, 0xBE, 0xEF, /* doff */ 0x50, /* flags */ 0x10, /* just ACK */ /* wss */ 0x30, 0x39, /* 12345 */ /* cksum */ 0x00, 0x00, /* urg */ 0x00, 0x00 }; _u16 simple_tcp_cksum(void) { _u32 sum = 26 /* tcp, len 20 */; _u8 i; _u8* p = synpacket + 20; for (i=0;i<10;i++) { sum += (*p << 8) + *(p+1); p+=2; } p = synpacket + 12; for (i=0;i<4;i++) { sum += (*p << 8) + *(p+1); p+=2; } return ~(sum + (sum >> 16)); } int main(int argc, char** argv) { static struct sockaddr_in sain; _s32 sad,dad; _s32 sock, one = 1; _u16 p,ck; if (argc - 4 || (sad=inet_addr(argv[1])) == INADDR_NONE || (dad=inet_addr(argv[2])) == INADDR_NONE || !(p=atoi(argv[3]))) { fprintf(stderr,"Usage: %s src_ip dst_ip port\n",argv[0]); exit(1); } sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW); if (sock<0) fatal("socket"); if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))) fatal("setsockopt"); sain.sin_family = AF_INET; memcpy(&sain.sin_addr.s_addr,&dad,4); memcpy(synpacket+12,&sad,4); memcpy(synpacket+16,&dad,4); p=htons(p); memcpy(synpacket+22,&p,2); ck=simple_tcp_cksum(); ck=htons(ck); memcpy(synpacket+36,&ck,2); if (sendto(sock,synpacket,sizeof(synpacket), 0,(struct sockaddr *)&sain, sizeof(struct sockaddr)) < 0) perror("sendto"); else printf("Stray ACK sent to %s to port %d.\n",argv[2],ntohs(p)); return 0; } p0f/test/sendack2.c0100644000175100017500000000632210404100150013724 0ustar lcamtufusers/* sendack2 - RST trigger with data payload ---------------------------------------- See sendack.c for more information. The only difference is that this tool sends a packet with a payload to check for some silly implementations that bounce the payload back or do other magic. THIS PROGRAM IS NOT SUITABLE FOR GATHERING "Connection refused" SIGNATURES. Copyright (C) 2003-2006 by Michal Zalewski */ #include #include #include #include #include #include #include #include #include #include #include #include #include "../types.h" #define fatal(x) do { perror(x); exit(1); } while (0) static _u8 synpacket[] = { /* IP HEADER */ /* IHL */ 0x45, /* ToS */ 0x00, /* totlen */ 0x00, 0x28 + 4, /* ID */ 0x00, 0x00, /* offset */ 0x00, 0x00, /* TTL */ 0xFF, /* proto */ 0x06, /* cksum */ 0x00, 0x00, /* saddr */ 0, 0, 0, 0, /* src: [12] */ /* daddr */ 0, 0, 0, 0, /* dst: [16] */ /* TCP HEADER - [20] */ /* sport */ 0xCA, 0xFE, /* dport */ 0, 0, /* dp: [22] */ /* SEQ */ 0x0D, 0xEF, 0xAC, 0xED, /* ACK */ 0xDE, 0xAD, 0xBE, 0xEF, /* doff */ 0x50, /* flags */ 0x10, /* just ACK */ /* wss */ 0x30, 0x39, /* 12345 */ /* cksum */ 0x00, 0x00, /* urg */ 0x00, 0x00, /* PAYLOAD - 80 bytes. Please keep this message intact. */ 0x43,0x6f,0x6e,0x74,0x61,0x63,0x74,0x20, 0x6c,0x63,0x61,0x6d,0x74,0x75,0x66,0x40, 0x63,0x6f,0x72,0x65,0x64,0x75,0x6d,0x70, 0x2e,0x63,0x78,0x20,0x69,0x66,0x20,0x79, 0x6f,0x75,0x20,0x61,0x72,0x65,0x20,0x63, 0x75,0x72,0x69,0x6f,0x75,0x73,0x20,0x61, 0x62,0x6f,0x75,0x74,0x20,0x74,0x68,0x65, 0x20,0x70,0x75,0x72,0x70,0x6f,0x73,0x65, 0x20,0x6f,0x66,0x20,0x74,0x68,0x69,0x73, 0x20,0x70,0x61,0x63,0x6b,0x65,0x74,0x2e }; _u16 simple_tcp_cksum(void) { _u32 sum = 6 + 20 + 80 /* proto tcp (6), tcp len 20 + 80 */; _u8 i; _u8* p = synpacket + 20; for (i=0;i<10 + 40;i++) { sum += (*p << 8) + *(p+1); p+=2; } p = synpacket + 12; for (i=0;i<4;i++) { sum += (*p << 8) + *(p+1); p+=2; } return ~(sum + (sum >> 16)); } int main(int argc, char** argv) { static struct sockaddr_in sain; _s32 sad,dad; _s32 sock, one = 1; _u16 p,ck; if (argc - 4 || (sad=inet_addr(argv[1])) == INADDR_NONE || (dad=inet_addr(argv[2])) == INADDR_NONE || !(p=atoi(argv[3]))) { fprintf(stderr,"Usage: %s src_ip dst_ip port\n",argv[0]); exit(1); } sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW); if (sock<0) fatal("socket"); if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))) fatal("setsockopt"); sain.sin_family = AF_INET; memcpy(&sain.sin_addr.s_addr,&dad,4); memcpy(synpacket+12,&sad,4); memcpy(synpacket+16,&dad,4); p=htons(p); memcpy(synpacket+22,&p,2); ck=simple_tcp_cksum(); ck=htons(ck); memcpy(synpacket+36,&ck,2); if (sendto(sock,synpacket,sizeof(synpacket), 0,(struct sockaddr *)&sain, sizeof(struct sockaddr)) < 0) perror("sendto"); else printf("Stray ACK (with data) sent to %s to port %d.\n",argv[2],ntohs(p)); return 0; } p0f/test/sendsyn.c0100644000175100017500000000645210404100142013722 0ustar lcamtufusers/* sendsyn - SYN+ACK trigger ------------------------- This is a trivial code to send a SYN packet to a remote host. The main purpose of this is to trigger a clean SYN+ACK or RST+ACK ("connection refused") response that can be compared to the signature you've obtained the usual way. By comparing WSS and other parameters, it is possible to determine how much of the signature changes depending on the initial SYN, which is crucial in some cases (see p0fa.fp and p0fr.fp). THIS CODE IS NOT SUITABLE FOR GATHERING "Connection dropped" SIGNATURES. Run p0f in the background in -A mode (or -R, if you are interested in RST+ACK packet), then run sendsyn, observe results, if any. The code uses a distinct WSS of 12345. If you see it in the SYN+ACK (RST+ACK) response, you need to wildcard the WSS value in your new signature (p0f does the first step for you). Linux code, may not work on systems that use different mechanism to access raw sockets. Copyright (C) 2003-2006 by Michal Zalewski */ #include #include #include #include #include #include #include #include #include #include #include #include #include "../types.h" #define fatal(x) do { perror(x); exit(1); } while (0) static _u8 synpacket[] = { /* IP HEADER */ /* IHL */ 0x45, /* ToS */ 0x00, /* totlen */ 0x00, 0x28, /* ID */ 0x00, 0x00, /* offset */ 0x00, 0x00, /* TTL */ 0xFF, /* proto */ 0x06, /* cksum */ 0x00, 0x00, /* saddr */ 0, 0, 0, 0, /* src: [12] */ /* daddr */ 0, 0, 0, 0, /* dst: [16] */ /* TCP HEADER - [20] */ /* sport */ 0xCA, 0xFE, /* dport */ 0, 0, /* dp: [22] */ /* SEQ */ 0x0D, 0xEF, 0xAC, 0xED, /* ACK */ 0xDE, 0xAD, 0xBE, 0xEF, /* doff */ 0x50, /* flags */ 0x02, /* just SYN */ /* wss */ 0x30, 0x39, /* 12345 */ /* cksum */ 0x00, 0x00, /* urg */ 0x00, 0x00 }; _u16 simple_tcp_cksum(void) { _u32 sum = 26 /* tcp, len 20 */; _u8 i; _u8* p = synpacket + 20; for (i=0;i<10;i++) { sum += (*p << 8) + *(p+1); p+=2; } p = synpacket + 12; for (i=0;i<4;i++) { sum += (*p << 8) + *(p+1); p+=2; } return ~(sum + (sum >> 16)); } int main(int argc, char** argv) { static struct sockaddr_in sain; _s32 sad,dad; _s32 sock, one = 1; _u16 p,ck; if (argc - 4 || (sad=inet_addr(argv[1])) == INADDR_NONE || (dad=inet_addr(argv[2])) == INADDR_NONE || !(p=atoi(argv[3]))) { fprintf(stderr,"Usage: %s src_ip dst_ip port\n",argv[0]); exit(1); } sock=socket(AF_INET,SOCK_RAW,IPPROTO_RAW); if (sock<0) fatal("socket"); if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char *)&one,sizeof(one))) fatal("setsockopt"); sain.sin_family = AF_INET; memcpy(&sain.sin_addr.s_addr,&dad,4); memcpy(synpacket+12,&sad,4); memcpy(synpacket+16,&dad,4); p=htons(p); memcpy(synpacket+22,&p,2); ck=simple_tcp_cksum(); ck=htons(ck); memcpy(synpacket+36,&ck,2); if (sendto(sock,synpacket,sizeof(synpacket), 0,(struct sockaddr *)&sain, sizeof(struct sockaddr)) < 0) perror("sendto"); else printf("Bland SYN sent to %s to port %d.\n",argv[2],ntohs(p)); return 0; } p0f/test/tryid0100755000175100017500000000063207724773156013206 0ustar lcamtufusers#!/bin/bash # # p0f - trivial OS checker # ------------------------ # # The least diplomatic way of checking a remote system to # resolve a signature. Note that the output should be # taken with a grain of salt (proxies, overzealous # firewalls, ippersonality, nmap database glitches, etc). # nmap -T Aggressive -sS -p 1,20,22,23,25,53,80,110,111,113,135,137,139,161,443,445,1030,6000,8080,8888,59999 -O "$@" p0f/test/p0fq.pl0100644000175100017500000000340010472337376013316 0ustar lcamtufusers#!/usr/bin/perl # p0fq.pl - sample p0f query interface # ------------------------------------ # # Just to show how things should be done, and perhaps to provide # a truly ineffective way of querying p0f from shell scripts and # such. # # If you want to query p0f from a production application, just # implement the same functionality in your code. It's perhaps 10 # lines. # # Copyright (C) 2004 by Aurelien Jacobs use strict; use IO::Socket; use Net::IP; my $QUERY_MAGIC = 0x0defaced; my $QTYPE_FINGERPRINT = 1; die "usage: p0fq.pl p0f_socket src_ip src_port dst_ip dst_port" unless $#ARGV == 4; # Convert the IPs and pack the request message my $src = new Net::IP ($ARGV[1]) or die (Net::IP::Error()); my $dst = new Net::IP ($ARGV[3]) or die (Net::IP::Error()); my $query = pack("L L L N N S S", $QUERY_MAGIC, $QTYPE_FINGERPRINT, 0x12345678, $src->intip(), $dst->intip(), $ARGV[2], $ARGV[4]); # Open the connection to p0f my $sock = new IO::Socket::UNIX (Peer => $ARGV[0], Type => SOCK_STREAM); die "Could not create socket: $!\n" unless $sock; # Ask p0f print $sock $query; my $response = <$sock>; close $sock; # Extract the response from p0f my ($magic, $id, $type, $genre, $detail, $dist, $link, $tos, $fw, $nat, $real, $score, $mflags, $uptime) = unpack ("L L C Z20 Z40 c Z30 Z30 C C C s S N", $response); die "Bad response magic.\n" if $magic != $QUERY_MAGIC; die "P0f did not honor our query.\n" if $type == 1; die "This connection is not (no longer?) in the cache.\n" if $type == 2; # Display result print "Genre : " . $genre . "\n"; print "Details : " . $detail . "\n"; print "Distance : " . $dist . " hops\n"; print "Link : " . $link . "\n"; print "Uptime : " . $uptime . " hrs\n"; p0f/test/p0fping.c0100644000175100017500000000500610472337425013621 0ustar lcamtufusers/* p0fping - sample p0f socket ping code --------------------------------- Just to show how one can find out a priori wheather p0f is alive and its query socket reliable before quering it for fingerprints. That kind of knowledge is probably useful during startup of misc services using p0f. When p0f is working useful statistics can be gathered. Copyright (C) 2006 by Mariusz Kozlowski */ #include #include #include #include #include #include #include #include #include #include #include #include "../types.h" #include "../p0f-query.h" #define debug(x...) fprintf(stderr,x) #define fatal(x...) do { debug("[-] ERROR: " x); exit(2); } while (0) #define pfatal(x) do { debug("[-] ERROR: "); perror(x); exit(2); } while (0) int main(int argc,char** argv) { struct sockaddr_un x; struct p0f_query q; struct p0f_status s; _s32 sock; if (argc != 2) { debug("Usage: %s p0f_socket\n", argv[0]); exit(1); } sock = socket(PF_UNIX,SOCK_STREAM,0); if (sock < 0) pfatal("socket"); memset(&x,0,sizeof(x)); x.sun_family = AF_UNIX; strncpy(x.sun_path,argv[1],63); if (connect(sock,(struct sockaddr*)&x,sizeof(x))) pfatal(argv[1]); q.magic = QUERY_MAGIC; q.id = 0xabcddcba; q.type = QTYPE_STATUS; if (write(sock,&q,sizeof(q)) != sizeof(q)) fatal("Socket write error (timeout?).\n"); if (read(sock,&s,sizeof(s)) != sizeof(s)) fatal("Response read error (timeout?).\n"); debug("[+] Sufficient socket permissions.\n"); if (s.magic != QUERY_MAGIC) fatal("Bad response magic.\n"); if (s.id != 0xabcddcba) fatal("Bad response ID.\n"); if (s.type != RESP_STATUS) fatal("P0f did not honor our query.\n"); debug("[+] Got correct p0f status response.\n"); debug("[i] p0f version : %s\n", s.version); debug("[i] p0f mode : %s\n", s.mode=='S'?"SYN":(s.mode=='A'?"SYN+ACK":(s.mode=='R'?"RST":(s.mode=='O'?"stray":"unknown")))); debug("[i] p0f fp file checksum : 0x%08x\n", s.fp_cksum); debug("[i] received packets : %u\n", s.packets); debug("[i] matched packets : %u\n", s.matched); debug("[i] p0f query cache size : %u\n", s.cache); debug("[i] cache queries : %u\n", s.queries); debug("[i] cache misses : %u\n", s.cmisses); debug("[i] p0f process uptime : %u seconds\n", s.uptime); shutdown(sock,2); close(sock); return 0; } p0f/tmp/0040755000175100017500000000000007740451056011736 5ustar lcamtufusersp0f/tmp/ack_set0100644000175100017500000000114207726355504013272 0ustar lcamtufusersRare occurence of non-zero ACK packets. The source system is a Linux box, but it was most likely running some evil tool. Note the source port of 21. Same in ack_set2. 80.117.4.92:21 - UNKNOWN [56922:113:0:40:.:A:?:?] -> 217.8.32.51:21 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x41e8a62a, UNUSED=0, URG=0x0 80.117.4.92:21 - UNKNOWN [56922:113:0:40:.:A:?:?] -> 217.8.32.52:21 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x41e8a62a, UNUSED=0, URG=0x0 80.117.4.92:21 - UNKNOWN [56922:113:0:40:.:A:?:?] -> 217.8.32.53:21 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x41e8a62a, UNUSED=0, URG=0x0 p0f/tmp/ack_set20100644000175100017500000000245307725335654013365 0ustar lcamtufusers 194.177.126.22:22 - UNKNOWN [29111:128:0:40:.:A:?:?] -> 217.8.32.53:22 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x30532569, UNUSED=0, URG=0x0 (flags = 2) 194.177.126.22:22 - UNKNOWN [29111:128:0:40:.:A:?:?] -> 217.8.32.54:22 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x30532569, UNUSED=0, URG=0x0 (flags = 2) 194.177.126.22:22 - UNKNOWN [29111:128:0:40:.:A:?:?] -> 217.8.32.55:22 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x30532569, UNUSED=0, URG=0x0 (flags = 2) 194.177.126.22:22 - UNKNOWN [29111:128:0:40:.:A:?:?] -> 217.8.32.58:22 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x30532569, UNUSED=0, URG=0x0 (flags = 2) 194.177.126.22:22 - UNKNOWN [29111:128:0:40:.:A:?:?] -> 217.8.32.57:22 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x30532569, UNUSED=0, URG=0x0 (flags = 2) 194.177.126.22:22 - UNKNOWN [29111:128:0:40:.:A:?:?] -> 217.8.32.56:22 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x30532569, UNUSED=0, URG=0x0 (flags = 2) 194.177.126.22:22 - UNKNOWN [29111:128:0:40:.:A:?:?] -> 217.8.32.59:22 (link: unspecified) -- EXTRA TCP VALUES: ACK=0x30532569, UNUSED=0, URG=0x0 (flags = 2) p0f/tmp/ack_set30100644000175100017500000000040007735556744013362 0ustar lcamtufusersThis looks more reasonable. Perhaps Windows? 81.211.124.39:2295 - UNKNOWN [58944:52:0:64:M1436,N,W2,N,N,T0,N,N,S:A:?:?] -> 217.8.32.51:80 (link: IPSec/GRE) -- EXTRA TCP VALUES: ACK=0xeff28b37, UNUSED=0, URG=0x0 (flags = 2) p0f/tmp/badly_broken_linux0100644000175100017500000000044707735556760015551 0ustar lcamtufusersHuh?! 69.15.35.161 - UNKNOWN [S4:44:1:60:M1452,S,T,N,W0:UA:?:?] (NAT!) (up: 0 hrs) -> 217.8.32.51:80 (link: pppoe (DSL)) 69.15.35.161 - - [05/Sep/2003:13:51:21 +0200] "GET /p0f.tgz HTTP/1.1" 200 53102 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b) Gecko/20030827" [lcamtuf.coredump.cx] p0f/tmp/extra_opts0100644000175100017500000000024107725113174014042 0ustar lcamtufusersAdvertises self as Win95: -- EXTRA TCP OPTIONS (packet below): 00 00 00 212.186.155.152:2734 - UNKNOWN [S12:116:1:48:M1460:EP:?:?] p0f/tmp/extra_opts20100644000175100017500000000056607725476020014140 0ustar lcamtufusers -- EXTRA TCP OPTIONS (packet below): 00 00 00 200.52.187.65:65450 - UNKNOWN [S12:109:1:48:M1380:EP:?:?] (NAT!) -> 217.8.32.51:80 (link: GPRS or FreeS/WAN) -- -- EXTRA TCP OPTIONS (packet below): 00 00 00 200.52.187.65:2543 - UNKNOWN [S12:109:1:48:M1380:EP:?:?] (NAT!) -> 217.8.32.51:80 (link: GPRS or FreeS/WAN) p0f/tmp/extra_opts30100644000175100017500000000032207735557042014134 0ustar lcamtufusersAn elusive OS I can't hunt down. -- EXTRA TCP OPTIONS (packet below): 00 00 00 200.48.231.161:18868 - UNKNOWN [65535:112:1:48:M960:EP:?:?] -> 217.8.32.51:80 (link: unknown-1000) p0f/tmp/README0100644000175100017500000000013707726355472012625 0ustar lcamtufusers This directory contains all kinds of nonsense I've spotted, but is yet to be identified. p0f/tmp/strange_opts0100644000175100017500000000106707726354732014401 0ustar lcamtufusers213.36.36.133 - UNKNOWN [16405:52:1:60:M1360,?5,N,T,N,?10:ZT:?:?] (up: 13 hrs) 213.36.36.133 - UNKNOWN [65535:155:1:60:E:PZ:?:?] -> 217.8.32.51:80 (link: 213.36.36.133 - UNKNOWN [65535:155:1:60:M1460,N,W1,E:PZ:?:?] -> 217.8.32.51:80 213.36.36.133 - UNKNOWN [65535:155:1:60:M1460,N,W1,N,E:PZ:?:?] -> [65535:155:1:60:M1460,N,W1,N,N,N,N,N,N,N,N,N,N,N,E:Z:?:?] -> 217.8.32.51:80 [65535:155:1:60:M1460,N,W1,N,N,N,N,N,N,N,N,N,N,N,N:Z!:?:?] -> 217.8.32.51:80 213.36.36.133 - UNKNOWN [S4:52:1:60:M1360,?5,N,T,N,?10:ZT:?:?] (up: 13 hrs) -> Probably just trying to annoy me. p0f/tmp/strange_ttl0100644000175100017500000000036207735557102014210 0ustar lcamtufusersWTF? 206.117.161.80 - UNKNOWN [0:1:0:40:.:.:?:?] -> 217.8.32.51:80 (link: unspecified) 206.117.161.80 - - [06/Sep/2003:18:09:51 +0200] "GET /p0f-help/https://coredump.cx:443/~lcamtuf/p0f-help/ HTTP/1.1" 404 797 "-" "-" [lcamtuf.coredump.cx] p0f/tmp/tstamp_set0100644000175100017500000000155207735557136014056 0ustar lcamtufusers Linux, so it would seem. Why T? 200.187.236.8 - UNKNOWN [5792:51:1:60:M1460,S,T,N,W0:T:?:?] (up: 335 hrs) -> 217.8.32.51:80 (link: ethernet/modem) 200.187.236.8 - - [06/Sep/2003:05:35:16 +0200] "GET /~lcamtuf/seekers/ HTTP/1.1" 200 1005480 "http://www.google.com.br/search?hl=pt-BR&ie=ISO-8859-1&q=gta+vice+city%2Bcrack%2B%22no+cd%22&lr=" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" [lcamtuf.coredump.cx] 62.13.65.11:58180 - UNKNOWN [5792:56:1:60:M1460,S,T,N,W0:T:?:?] (up: 9881 hrs) -> 217.8.32.51:80 (link: ethernet/modem) 192.138.110.87 - - [05/Sep/2003:08:08:48 +0200] "GET /seekers/ HTTP/1.0" 200 2346351 "http://www.google.com/search?hl=en&lr=lang_en%7Clang_sv&ie=UTF-8&oe=utf-8&q=%22pocketpc+2003%22+rom+warez&sa=N&tab=gw" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; .NET CLR 1.1.4322)" [lcamtuf.coredump.cx] p0f/tos.h0100644000175100017500000000336310404100435012075 0ustar lcamtufusers/* p0f - ToS database ------------------ A list of known and used ToS / priority combinations. Rare settings actually describe the originating network (since specific ISPs tend to set those values for all outgoing traffic). More popular settings are just described per their RFC meaning. The field we examine is actually 8 bits in the following format: PPP TTTT Z | | `- "must be zero" (yeah, sure) | `------ Type of Service `---------- Precedence bits (now used to denote priority) But all this is usually just called "ToS". The "must be zero" value is often, well, not zero, of course. Copyright (C) 2003-2006 by Michal Zalewski */ #ifndef _HAVE_TOS_H #define _HAVE_TOS_H #include "types.h" struct tos_def { _u8 tos; _u8* desc; }; /* THIS LIST MUST BE SORTED FROM LOWEST TO HIGHEST ToS */ /* Candidates: 1 Tiscali Denmark (must-be-zero!) 3 InfoAve (must-be-zero!) 5 AOL (must-be-zero!) 200 Borlange Sweden 96 Nextra 28 Menta 192 techtelnet.net */ static struct tos_def tos[] = { { 2, "low cost" }, /* LC */ { 4, "high reliability" }, /* HR */ { 8, "low delay" }, /* LD */ { 12, "DNA.FI / CTINETS" }, /* LD, HR */ { 16, "high throughput" }, /* HT */ { 32, "priority1" }, /* PRI1 */ { 40, "UTFORS Sweden" }, /* PRI1, LD */ { 64, "Tiscali Denmark" }, /* PRI2 */ { 80, "Bredband Scandinavia" }, /* PRI2, HT */ { 112, "Bonet Sweden" }, /* PRI3, HT */ { 128, "Cable.BG / Teleca.SE" }, /* PRI4 */ { 144, "IPTelecom / Alkar" }, /* PRI4, HT */ { 244, "top priority" }, /* PRI7 */ { 255, "Arcor IP" }, /* (bad) */ }; #define TOS_CNT (sizeof(tos) / sizeof(struct tos_def)) #endif /* ! _HAVE_TOS_H */ p0f/types.h0100644000175100017500000000117210466654647012463 0ustar lcamtufusers/* p0f - type definitions ---------------------- Short and portable names for various integer types. Copyright (C) 2003-2006 by Michal Zalewski */ #ifndef _HAVE_TYPES_H #define _HAVE_TYPES_H typedef unsigned char _u8; typedef unsigned short _u16; typedef unsigned int _u32; #ifdef WIN32 typedef unsigned __int64 _u64; #else typedef unsigned long long _u64; #endif /* ^WIN32 */ typedef signed char _s8; typedef signed short _s16; typedef signed int _s32; #ifdef WIN32 typedef signed __int64 _s64; #else typedef signed long long _s64; #endif /* ^WIN32 */ #endif /* ! _HAVE_TYPES_H */ p0f/WIN32-Code/0040755000175100017500000000000007751123560012606 5ustar lcamtufusersp0f/WIN32-Code/getopt.c0100644000175100017500000001214007721674460014256 0ustar lcamtufusers#include /* for EOF */ #include /* for strchr() */ #include "getopt.h" /* static (global) variables that are specified as exported by getopt() */ char *optarg = NULL; /* pointer to the start of the option argument */ int optind = 1; /* number of the next argv[] to be evaluated */ int opterr = 1; /* non-zero if a question mark should be returned when a non-valid option character is detected */ int getopt(int argc, char *argv[], char *opstring) { static char *pIndexPosition = NULL; /* place inside current argv string */ char *pArgString = NULL; /* where to start from next */ char *pOptString; /* the string in our program */ if (pIndexPosition != NULL) { /* we last left off inside an argv string */ if (*(++pIndexPosition)) { /* there is more to come in the most recent argv */ pArgString = pIndexPosition; } } if (pArgString == NULL) { /* we didn't leave off in the middle of an argv string */ if (optind >= argc) { /* more command-line arguments than the argument count */ pIndexPosition = NULL; /* not in the middle of anything */ return EOF; /* used up all command-line arguments */ } /*--------------------------------------------------------------------- * If the next argv[] is not an option, there can be no more options. *-------------------------------------------------------------------*/ pArgString = argv[optind++]; /* set this to the next argument ptr */ if (('/' != *pArgString) && /* doesn't start with a slash or a dash? */ ('-' != *pArgString)) { --optind; /* point to current arg once we're done */ optarg = NULL; /* no argument follows the option */ pIndexPosition = NULL; /* not in the middle of anything */ return EOF; /* used up all the command-line flags */ } /* check for special end-of-flags markers */ if ((strcmp(pArgString, "-") == 0) || (strcmp(pArgString, "--") == 0)) { optarg = NULL; /* no argument follows the option */ pIndexPosition = NULL; /* not in the middle of anything */ return EOF; /* encountered the special flag */ } pArgString++; /* look past the / or - */ } if (':' == *pArgString) { /* is it a colon? */ /*--------------------------------------------------------------------- * Rare case: if opterr is non-zero, return a question mark; * otherwise, just return the colon we're on. *-------------------------------------------------------------------*/ return (opterr ? (int)'?' : (int)':'); } else if ((pOptString = strchr(opstring, *pArgString)) == 0) { /*--------------------------------------------------------------------- * The letter on the command-line wasn't any good. *-------------------------------------------------------------------*/ optarg = NULL; /* no argument follows the option */ pIndexPosition = NULL; /* not in the middle of anything */ return (opterr ? (int)'?' : (int)*pArgString); } else { /*--------------------------------------------------------------------- * The letter on the command-line matches one we expect to see *-------------------------------------------------------------------*/ if (':' == _next_char(pOptString)) { /* is the next letter a colon? */ /* It is a colon. Look for an argument string. */ if ('\0' != _next_char(pArgString)) { /* argument in this argv? */ optarg = &pArgString[1]; /* Yes, it is */ } else { /*------------------------------------------------------------- * The argument string must be in the next argv. * But, what if there is none (bad input from the user)? * In that case, return the letter, and optarg as NULL. *-----------------------------------------------------------*/ if (optind < argc) optarg = argv[optind++]; else { optarg = NULL; return (opterr ? (int)'?' : (int)*pArgString); } } pIndexPosition = NULL; /* not in the middle of anything */ } else { /* it's not a colon, so just return the letter */ optarg = NULL; /* no argument follows the option */ pIndexPosition = pArgString; /* point to the letter we're on */ } return (int)*pArgString; /* return the letter that matched */ } } p0f/WIN32-Code/getopt.h0100644000175100017500000000021207721674460014260 0ustar lcamtufusers #define _next_char(string) (char)(*(string+1)) extern char * optarg; extern int optind; int getopt(int, char**, char*); p0f/WIN32-Prj/0040755000175100017500000000000007751124132012463 5ustar lcamtufusersp0f/WIN32-Prj/p0f.dsp0100644000175100017500000001063507740406260013665 0ustar lcamtufusers# Microsoft Developer Studio Project File - Name="p0f" - Package Owner=<4> # Microsoft Developer Studio Generated Build File, Format Version 6.00 # ** DO NOT EDIT ** # TARGTYPE "Win32 (x86) Console Application" 0x0103 CFG=p0f - Win32 Debug !MESSAGE This is not a valid makefile. To build this project using NMAKE, !MESSAGE use the Export Makefile command and run !MESSAGE !MESSAGE NMAKE /f "p0f.mak". !MESSAGE !MESSAGE You can specify a configuration when running NMAKE !MESSAGE by defining the macro CFG on the command line. For example: !MESSAGE !MESSAGE NMAKE /f "p0f.mak" CFG="p0f - Win32 Debug" !MESSAGE !MESSAGE Possible choices for configuration are: !MESSAGE !MESSAGE "p0f - Win32 Release" (based on "Win32 (x86) Console Application") !MESSAGE "p0f - Win32 Debug" (based on "Win32 (x86) Console Application") !MESSAGE # Begin Project # PROP AllowPerConfigDependencies 0 # PROP Scc_ProjName "" # PROP Scc_LocalPath "" CPP=cl.exe RSC=rc.exe !IF "$(CFG)" == "p0f - Win32 Release" # PROP BASE Use_MFC 0 # PROP BASE Use_Debug_Libraries 0 # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" # PROP Use_MFC 0 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c # ADD CPP /nologo /W3 /GX /O2 /I "..\\" /I "..\WIN32-Code" /I "..\..\Wpdpack\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c # ADD BASE RSC /l 0x409 /d "NDEBUG" # ADD RSC /l 0x409 /d "NDEBUG" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 # ADD LINK32 ws2_32.lib ..\..\WPdpack\Lib\wpcap.lib Advapi32.lib /nologo /subsystem:console /machine:I386 !ELSEIF "$(CFG)" == "p0f - Win32 Debug" # PROP BASE Use_MFC 0 # PROP BASE Use_Debug_Libraries 1 # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" # PROP Use_MFC 0 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /I "..\\" /I "..\WIN32-Code" /I "..\..\Wpdpack\include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c # ADD BASE RSC /l 0x409 /d "_DEBUG" # ADD RSC /l 0x409 /d "_DEBUG" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept # ADD LINK32 ws2_32.lib ..\..\WPdpack\Lib\wpcap.lib Advapi32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept !ENDIF # Begin Target # Name "p0f - Win32 Release" # Name "p0f - Win32 Debug" # Begin Group "Source Files" # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" # Begin Source File SOURCE="..\WIN32-Code\getopt.c" # End Source File # Begin Source File SOURCE="..\p0f-query.c" # End Source File # Begin Source File SOURCE=..\p0f.c # End Source File # End Group # Begin Group "Header Files" # PROP Default_Filter "h;hpp;hxx;hm;inl" # Begin Source File SOURCE=..\config.h # End Source File # Begin Source File SOURCE=..\fpentry.h # End Source File # Begin Source File SOURCE="..\WIN32-Code\getopt.h" # End Source File # Begin Source File SOURCE=..\mtu.h # End Source File # Begin Source File SOURCE="..\p0f-query.h" # End Source File # Begin Source File SOURCE=..\tcp.h # End Source File # Begin Source File SOURCE=..\types.h # End Source File # End Group # Begin Group "Resource Files" # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" # End Group # End Target # End Project p0f/WIN32-Prj/p0f.dsw0100644000175100017500000000102307740351714013666 0ustar lcamtufusersMicrosoft Developer Studio Workspace File, Format Version 6.00 # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE! ############################################################################### Project: "p0f"=".\p0f.dsp" - Package Owner=<4> Package=<5> {{{ }}} Package=<4> {{{ }}} ############################################################################### Global: Package=<5> {{{ }}} Package=<3> {{{ }}} ############################################################################### p0f/WIN32-Prj/p0f.ncb0100644000175100017500000020200007740406260013626 0ustar lcamtufusersMicrosoft C/C++ program database 2.00 JGA< 00 e % [  i; I T] PbkxBPP,0Ђ?/names/ncb/targetinfo/ncb/moduleinfo/ncb/storeinfo/ncb/iinstdefs/ncb/module/D:\passive\p0f\WIN32-Code\getopt.c/ncb/module/D:\passive\p0f\p0f.c/ncb/module/D:\passive\p0f\config.h/ncb/module/D:\passive\p0f\fpentry.h/ncb/module/D:\passive\p0f\WIN32-Code\getopt.h/ncb/module/D:\passive\p0f\mtu.h/ncb/module/D:\passive\p0f\tcp.h/ncb/module/D:\passive\p0f\types.h/ncb/target/p0f - Win32 Debug/ncb/target/p0f - Win32 Release/ncb/versioninfo!ҟ'6r O t  .E iY 0@|P`p(d4$%&'-./*01()+,2I,UU.pp )) _ ..O ,,I  // ++ -- **   %%A   ##    V 9 V  !!  %    . D  $$  > ku ks kzG YYU k| . ^^ 9AH  1; k{ 4J  MaZ 55 #CL N $klF 8hhE: 9) :k}+ ;VV^ <kw+ >t ?ktv Aq# D Fc I[n  JkmW  Kii Lky Mkq Nkk Oko Pkn0 Qkp UpX Vk~* W. X< Y 5 Zb ; [hh \kv ^y  _^d `UU aVV bf_ d  e^b f^`\ g^_5 hkx ikr j^f3 k^aAAAJAS} A aAQZck} s{IAA5A}PbhA AAAAAAAA?AlAA, $6  @ &&@ ,,*@ ((5@ 44@ 11@ 22D@ 55@ ''@  00@  //@  %%$@  33@  ..x@ ,,<@ ))@ 11@ 22O@ **d@ ++@ --  a. n 4 AA_ASAA_AA_A_AA;eTBP s  =@ @ X_ $/ 2B U@ ,,w@ -.@ '(@ %%&(@ ')D@ *+f@ --@ %&@  ''5S@  **n@  88n@  56, @  @@n@ 99n@ 34 @ >>n@ 55n@ 33> @ AA @ ??W  a.  Xa .__A_AA_A__A___      e  _ s  s A\  P i u  "& %% I     %    **  (( s@ ### p@ $$ .@ ##3 u@ %% @ ## .@ ##   ))   ++  :Y_  l  "G  $07A  %,,  f e _  _  }  y } U N p $)  /<   @ '' @ ((i @ &&X u@ %%w @ '' @ (( "@ 44 "@ 55 s@  88p "@  33L "@  11 s@  668 @  009 .@ ;; s@ 88 s@ 99% .@ :: s@ 77] "@ 22a .n  a .  __ e A  _AA A'sim\f.h    PvH?DlFe @A @ !   @@@@ ! DՂ?Pw?D@  @BTp?ll^TPvH? ngx?>  RT?N @xH?_ [ PvH?Dl Sk@" I$%"@ $@ @"")E)D$X ?Pw?D@  @BTp?ll^TPvH? ngx?>   BRT?N @xH?_  %@B? @@BH$D^?!*6H03 ;q+\A,* F# f?  4  U e _ A>G U H; Z F E,)[+tvqcn W 0;IT _ l G N *<  b A y f \532 o7s7?".#nnDޞ~[ɶh  %  P f 5; t1& 9  ID w    T!N  [   ;$4*X  J   '<i  8  E w    LOL   #   p0f - Win32 Debugp0f - Win32 ReleaseD:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\win32.ncbD:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\crt.ncbD:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\mfcatl.ncbD:\passive\p0f\WIN32-Code\getopt.c"getopt.h"optargchar *opterrintoptindgetoptint argcchar *argv[]char *opstringD:\passive\p0f\p0f.c"config.h""types.h""tcp.h""mtu.h""tos.h""fpentry.h"fp_entryuse_logfile_u8fltbpf_programcheck_collidemainchar **argvheader_lenpcap_pkthdralways_siglookup_tos_u8 *_u8 trst_modecollidevoid_u32 iddebug_u8 *format...use_rulegencnt_u32sigfp_entry %[MAXSIGS]problemsuse_dumpput_datefull_dumpwrite_dumpack_modebhfp_entry *%[16]dumperpcap_dumper_t *lookup_link_u16 mss_u8 txtparse_u8 *nonepcap_pkthdr *pph_u8 *packetconfig_filedisplay_signature_u8 ttl_u16 tot_u8 df_u8 *op_u8 ocnt_u16 wss_u8 wsc_u32 tstamp_u32 quirksgrab_name_u8 *aptpcap_t *die_nicely_s32 siguse_ifaceusage_u8 *nameload_config_u8 *filego_daemonno_osdescadd_timestampfatalset_header_len_u32 typeuse_promiscdump_packet_u8 *pkt_u16 plenno_knownst_timedump_payload_u8 *data_u16 dlenpkcntno_unknowndo_resolvefind_match_u32 src_u32 dst_u16 sp_u16 dp_u8 tos_u8 ecn_u8 plen_u8 *payno_extramode_onelineno_bannersigcntpayload_dumpD:\passive\p0f\config.hD:\passive\p0f\fpentry.hfp_entry::osfp_entry::descfp_entry::no_detailfp_entry::genericfp_entry::userlandfp_entry::wsize_u16fp_entry::wsize_modfp_entry::ttlfp_entry::dffp_entry::zero_stampfp_entry::sizefp_entry::optcntfp_entry::opt_u8 %[MAXOPT]fp_entry::wscfp_entry::mssfp_entry::wsc_modfp_entry::mss_modfp_entry::quirksfp_entry::linefp_entry::nextfp_entry *D:\passive\p0f\WIN32-Code\getopt.hD:\passive\p0f\mtu.hmtu_defmtu_def::mtumtu_def::devmtumtu_def %[]D:\passive\p0f\tcp.hip_headerip_header::ihlip_header::tosip_header::tot_lenip_header::idip_header::offip_header::ttlip_header::protoip_header::cksumip_header::saddrip_header::daddrtcp_headertcp_header::sporttcp_header::dporttcp_header::seqtcp_header::acktcp_header::_x2unsigned int %: 4tcp_header::dofftcp_header::flagstcp_header::wintcp_header::cksumtcp_header::urgD:\passive\p0f\types.h_s8signed charunsigned char_s16short_s32_s64__int64unsigned shortunsigned int_u64unsigned __int64_u8 **int *useuse_cache:d0 $ PS \Ol>*5^ZwQ<a*xhI }Dc3)T  ;xF, + E%Bmk k5f5 u IbD&U;fcN sZ<t _ v [i 5 ?'e U J GSH{0A,q> I,XX ))  ..0  ,, ++D --V ** %% ##V  !!   %   $$>O q} q{_ qG \\U q   aa: <DH  :;; q =S . VjZ 88 #FOF 7qxE 8) 9q :YY+ ;q+ =t. >q|v @q5 C Ec Hk Iq Jqy Kqq Lqw Mqv0# Nqx Rh Sq*. T U  < V  W Xq~N Z [XX_ \YY ]f^ _ `ac\ aab5 bq cqz dai3 eadAAAJAS} A aQZck} s{IAA5A}PbhAAAAAAAA?AlAA'sim\f.h[ PvH?DlFe @A @ !   @@@@ ! Dׂ?Pw?D@  @BTp?ll^TPvH? ngx?>   BRT?N @xH?_C e _ A>GUH; ZFE,)[+tvqc0;IT*< f\53~?:~9u'8$yFsS<  v*:$ O5' & 2D _d/*5  D(.*"x0&;D%, .<0ԧU/> ; C=7f ,5I@5BTw 9[A E$)%e 13E U>>  G+(c-    t)<8Z!*6H03 ;q+\A,* F# f?  4   *@  _"0=d  ((]  3 ;%@(    p  QxF+A  .G    H+0  _ .  <B9 Al  A  H#M I (   C   (B)-\NW 7 XG:, 3R fKb D  8 >n 6v2> 9Gy G  I   *?/Z(&,  <5Oe 5   q3AE,  )DaAF  U%XaA U$>  0c5     p0f - Win32 Debugp0f - Win32 ReleaseD:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\win32.ncbD:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\crt.ncbD:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\mfcatl.ncbD:\passive\p0f\WIN32-Code\getopt.c"getopt.h"optargchar *opterrintoptindgetoptint argcchar *argv[]char *opstringD:\passive\p0f\p0f.c"config.h""types.h""tcp.h""mtu.h""tos.h""fpentry.h"fp_entryuse_logfile_u8fltbpf_programcheck_collidemainchar **argvheader_lenpcap_pkthdralways_siglookup_tos_u8 *_u8 trst_modecollidevoid_u32 iddebug_u8 *format...use_rulegencnt_u32sigfp_entry %[MAXSIGS]problemsuse_dumpput_datefull_dumpwrite_dumpack_modebhfp_entry *%[16]dumperpcap_dumper_t *lookup_link_u16 mss_u8 txtparse_u8 *nonepcap_pkthdr *pph_u8 *packetconfig_filedisplay_signature_u8 ttl_u16 tot_u8 df_u8lip_header::tosip_header::tot_lenip_header::idip_header::offip_header::ttlip_header::protoip_header::cksumip_header::saddrip_header::daddrtcp_headertcp_header::sporttcp_header::dporttcp_header::seqtcp_header::acktcp_header::_x2unsigned int %: 4tcp_header::dofftcp_header::flagstcp_header::wintcp_header::cksumtcp_header::urgD:\passive\p0f\types.h_s8signed charunsigned char_s16short_s32_s64__int64unsigned shortunsigned int_u64unsigned __int64_u8 **int *useuse_cache"p0f-query.h"masq_thresquery_cachemasq_flagsset_userfind_masqD:\passive\p0f\p0f-query.cccache_data (*%)[]p0f_responseflagscur_ccache_datacache_data::sadcache_data::dadcache_data::portscache_data::signocache_data::msscache_data::sscorep0f_initcache_u32 csizp0f_descmasqp0f_findmasq_u32 sad_u8 *genre_s8 dist_u8 nat_u8 fw_u32 signop0f_addcache_u32 saddr_u32 daddr_u16 sport_u16 dport_u8 *detail_u8 *link_u8 *tos_u8 realQUERY_CACHED:\passive\p0f\p0f-query.hp0f_response::magicp0f_response::idp0f_response::typep0f_response::genre_u8 %[20]p0f_response::detail_u8 %[40]p0f_response::distp0f_response::link_u8 %[30]p0f_response::tosp0f_response::fwp0f_response::natp0f_response::realp0f_response::scorep0f_response::mflagsp0f_queryp0f_query::magicp0f_query::idp0f_query::src_adp0f_query::dst_adp0f_query::src_portp0f_query::dst_port #  N lT,w xP c )s H53 N S W +X Q  9 p  v L _I3 e B ] ;G  JU  % I0*aG A 5' xy   Ud,  9 > DZc% <_   Zb8 i  mq \n l .   I ;{ < i   > k b   5A h*  $D5?[S k u  U Of f ^ wy  t & 0A}F E,0Ђ?/names/ncb/targetinfo/ncb/moduleinfo/ncb/storeinfo/ncb/iinstdefs/ncb/module/D:\passive\p0f\WIN32-Code\getopt.c/ncb/module/D:\passive\p0f\p0f.c/ncb/module/D:\passive\p0f\config.h/ncb/module/D:\passive\p0f\fpentry.h/ncb/module/D:\passive\p0f\WIN32-Code\getopt.h/ncb/module/D:\passive\p0f\mtu.h/ncb/module/D:\passive\p0f\tcp.h/ncb/module/D:\passive\p0f\types.h/ncb/target/p0f - Win32 Debug/ncb/target/p0f - Win32 Release/ncb/versioninfo/ncb/module/D:\passive\p0f\p0f-query.c/ncb/module/D:\passive\p0f\p0f-query.h#ҿ'6r O t  .E x7 0@8 P`p(d,+x+;6%789: !"#345p0f/WIN32-Prj/p0f.NET.ncb0100644000175100017500000036600007751125300014261 0ustar lcamtufusersMicrosoft C/C++ MSF 7.00 DS{s8@.1؂?K%LkOl/names/ncb/targetinfo/ncb/moduleinfo/ncb/storeinfo/ncb/iinstdefs/ncb/referenceInfo/ncb/module/d:\passive\p0f\WIN32-Code\getopt.c/ncb/module/d:\passive\p0f\p0f.c/ncb/module/d:\passive\p0f\config.h/ncb/module/d:\passive\p0f\fpentry.h/ncb/module/d:\passive\p0f\WIN32-Code\getopt.h/ncb/module/d:\passive\p0f\mtu.h/ncb/module/d:\passive\p0f\tcp.h/ncb/module/d:\passive\p0f\types.h/ncb/versioninfo/ncb/module/d:\passive\p0f\p0f-query.h/ncb/module/d:\passive\p0f\tos.h/ncb/module/d:\winpcap\wpcap\libpcap\bpf\net\bpf.h/ncb/module/d:\winpcap\wpcap\libpcap\pcap.h/ncb/module/d:\program files\microsoft visual studio .net 2003\vc7\include\sys\types.h/ncb/target/__NcbPseudoTarget__/ncb/module/d:\passive\p0f\p0f-query.c&;Ab E X 6  ' =Ps?T|@L < 8]T@ABCDEUVWXYZ[KLMNOPQR S%&'()*+,-assive\p0f\mtu.h/ncb/module/d:\passive\p0f\tcp.h/ncb/module/d:\passive\p0f\types.h/ncb/versioninfo/ncb/module/d:\passive\p0f\p0f-query.h/ncb/module/d:\passive\p0f\tos.h/ncb/module/d:\winpcap\wpcap\libpcap\bpf\net\bpf.h/ncb/module/d:\winpcap\wpcap\libpcap\pcap.h/ncb/module/d:\program files\microsoft visual studio .net 2003\vc7\include\sys\types.h/ncb/target/__NcbPseudoTarget__&;Ab E X 6  ' =! Cq DYY/ Eq @G+ Hq|<5X|@L < 8L?@ABCDEFGHIJ34516789:;<=./0 " !>#$%&'()*+,-2t.h/ncb/module/d:\passive\p0f\mtu.h/ncb/module/d:\passive\p0f\tcp.h/ncb/module/d:\passive\p0f\types.h/ncb/versioninfoaR'E 6 b AX      i4  B %;   $/X EGI 2Bubl 2 ssi ? ssi  CB_           } ssi     ""   !!L ~  p   d  X       % Get@0,,G ; #@0-.  { @0'( @0%% ssi@0') fin@0*+6 INT@0-- ##x@0%&  cl@0'' API@0** def@088  #d@056 BEG@0@@ INK@099u RFA@0 34 AGE@0!>> fin@0"55c N_E@0#33 #d@0$AA GIN@0%???p%"?$2p!#' &8 E ZU 0 g S x k _ 8        J M^ OS Rk Sqt Tmm Uqt Vqy Wqq6 Xqw Yqvo Zqx ^hW _q\ aVVn bE c   dE e fll gq~ i jag9 kXX~ lYY mN oz paf qacd rab sq tqz uai vad CZNNjvNN )1=NN^hNjvN )1=vN iX*   [ ~ ??O #   = @0 @0c 8  % "& ?   ^   i N[ M M&_PR **^% ..% ]]9&; # ((%@0 ##&N_P@0 $$%ass@0 ##+&pub@0 %%%@0 ## &#de@0##% ))% ++efi  :ZOP_ !PER * -`| /07Y&) c 0,,oZ*g%%%%%;& * N +6AMW`3'Nx3'NNx Get $6ent  KxS WxS _xS BxS xS  ssi ssi ssi xS  ixS  - ssi  \ ssi  ""E ssi  !!xS xS xS r API ::2~   { @0&&  __@0,, ubl@0(( @044 @011 @022 @055 EGI@0''V TER@000E e B@0//  cl@0%% @0336 _AT@0.. GIN@0 ,, fin@0!))r OUN@0"11 @0#22 INT@0$** ##x@0%++! ic @0&--N#&'"x(!$% UgZ" t: g Q Z8  d      # * 1 ; ))3ssi ..# ,,? //ssi +++ -- **  %%  ## w   ssi !! ^   i~   $$  kkM 22  [[ kuz ks  kz YYI k|  ^^d @9A  @!1 "k{ %4JQ (Ma )55? @,CL -kl @Ahhr B! Ck} DVV/ Ekw @G+ Hkt J M^ OS R[ Skm Tii Ukyt Vkq Wkk6 Xko Ykno Zkp ^pXW _k~\ aSSn bE c dE e fhh gkv i j^d9 kUU~ lVV mN oz p^b q^`d r^_ skx tkr u^f v^a CZNNjvNN )1=NN^hNjvN )1=vN iX*NcNN=NT ,,3ssi 11#N[ //?MA_ 22ine ..+ssi 00END --ssi ssi ((ssi ssi &&ssi wssi ssi ##ssi ssi $$ic ""^ssi ssi ssi iROP ssi ssi ''ssi OUN MP(x 55 EN _MA ^^ nxz nv  n} \\I n: p  aad @<D ubl @!6 "n~e B %9OQ (Rf )88?#de @,FO -no @Amr B! Cn DYY/ Enz @G+D_R Hnw% "& ? )  ^¤   ie  M M&Zd **^% ..%) \\9& ((%@0 ##&)@0 $$%@0 ##+&@0 %%%@0 ## &@0##%) ))% ++ :Yq   ( +_| -07Y& .,,sZ*g%%%%%;& * N +6AMW`NxNNxg $) /<  - K  !!f     = Y  rm         ,, -- ++   EG!NN)KL,II|.CCB@0/''h@00(("@01&&@02%%0@03''T@04((H@0544g@0655@0788*@0833@0911z@0:66@0;00@0<;;@0=88@0>99@0?::@0@77@0A22&$,# !\%o+c"()*'6Rk&D_{UZ8N +6AMW`NxNN  ]C> x   (  i4 n B %;+2 ? ^SKW_BM [ t6o4BW\nEE  i- \ E r }9~YiX    } L p d X Nzd92 H}!W~6mw៿_O%  4_49 bi 9$   B6  Q! JxGL G !. ;)^Y  +2X Jssi ssi 77ssi ((ssi ""ssi --ssi ssi 11 CC HH ;; ??  NN}ssi issi Yssi 9ssi )~  Us`=8/0 $* d 9J o> "p z  Q( }  O H! (8  [      6 !? !r-   I  # E   "5  xssi *ssi ssi Cssi  ssi ssi bssi ~ 8}GSg t: M~EEr $H~ _~~K E D&IS6#  '/+\ d#3 % 2T?   5r BzN=M CK    OF R\AW 1)  k D:\passive\p0f\WIN32-Prj\p0f.NET.vcproj|Debug|Win32D:\passive\p0f\WIN32-Prj\p0f.NET.vcproj|Release|Win32d:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\vcpackages\prebuilt.ncbd:\passive\p0f\WIN32-Code\getopt.c"getopt.h"opterrintgetoptint argcchar *argv[]char *opstringoptargchar *optindd:\passive\p0f\p0f.c"config.h""types.h""tcp.h""mtu.h""tos.h""fpentry.h""p0f-query.h"MSG_NOSIGNAL0pfataldo { debug("[-] ERROR: "); perror(); exit(1); } while (0)xSIGHASH(( (_u8) ((() << 1) ^ (() << 1) ^ () ^ () )) & 0x0f)tsizeoptcntqdfMY_MAXDNS32GET16((_u16) *((_u8*)()+0) << 8 | (_u16) *((_u8*)()+1) )pput_datevoidmainchar **argvdebug_u8 *format...use_cache_u8 *query_cache_u32mode_oneline_u8use_logfilest_timeno_extrafind_masquse_ruledisplay_signature_u8 ttl_u16 tot_u8 df_u8 *op_u8 ocnt_u16 mss_u16 wss_u8 wsc_u32 tstamp_u32 quirkscheck_collidepayload_dumpuse_ifacepkcntno_bannersigcntset_usergencntack_modebhfp_entry *%[16]no_osdescuse_dumpgrab_name_u8 *adie_nicely_s32 sigrst_modedumperpcap_dumper_t *always_sigdo_resolvemasq_thres_s32go_daemonsigfp_entry %[MAXSIGS]dump_payload_u8 *data_u16 dlenfltbpf_programconfig_filemasq_flagsfind_match_u32 src_u32 dst_u16 sp_u16 dp_u8 tos_u8 ecn_u8 *pkt_u8 plen_u8 *payuse_promisclookup_link_u8 txtcollide_u32 idfull_dumpheader_lenno_knownfatalproblemsusage_u8 *namelookup_tos_u8 tno_unknownadd_timestampset_header_len_u32 typeparse_u8 *nonepcap_pkthdr *pph_u8 *packetload_config_u8 *fileptpcap_t *dump_packet_u16 plenwrite_dumpd:\passive\p0f\config.h_HAVE_CONFIG_HVER"2.0.3-beta"CONFIG_DIR"."SYN_DB"p0f.fp"SYNACK_DB"p0fa.fp"RST_DB"p0fr.fp"MAXSIGS1024MAXLINEMAXDIST40MAXOPT16DEFAULT_QUERY_CACHE128PKT_DLENPKT_MAXPAY45PACKET_BIG100PACKET_SNAPLEN200QUERY_TIMEOUT2d:\passive\p0f\fpentry.h_HAVE_FPENTRY_HMOD_NONEMOD_CONST1MOD_MSSMOD_MTU3QUIRK_PAST0x00000001QUIRK_IPOPT0x00000004QUIRK_URG0x00000008QUIRK_X20x00000010QUIRK_ACK0x00000020QUIRK_T20x00000040QUIRK_FLAGS0x00000080QUIRK_DATA0x00000100QUIRK_BROKEN0x00000200QUIRK_RSTACK0x00000400QUIRK_SEQEQ0x00000800QUIRK_SEQ00x00001000QUIRK_ZEROIDfp_entryfp_entry::osfp_entry::descfp_entry::no_detailfp_entry::genericfp_entry::userlandfp_entry::wsize_u16fp_entry::wsize_modfp_entry::ttlfp_entry::dffp_entry::zero_stampfp_entry::sizefp_entry::optcntfp_entry::opt_u8 %[MAXOPT]fp_entry::wscfp_entry::mssfp_entry::wsc_modfp_entry::mss_modfp_entry::quirksfp_entry::linefp_entry::nextfp_entry *d:\passive\p0f\WIN32-Code\getopt.h_next_char(char)(*(+1))stringchar ** d:\passive\p0f\mtu.h_HAVE_MTU_HMTU_CNT(sizeof(mtu) / sizeof(struct mtu_def))mtu_defmtu_def::mtumtu_def::devmtumtu_def %[]d:\passive\p0f\tcp.h_HAVE_TCP_HTCPOPT_EOLTCPOPT_NOPTB  PvH?IUv@"BB!"@@ @B!A! ?  A$ Pw? )&$ @@$B ABTp?  PvH? #:  ngx?:: (%H$)"$""B!"DRT?c  AxH?a-AHHR$P HH^?i$@J9w?#@%""zUUʤ9o9';9U0%0>9d$d@V@3 ViVh R*:kVR Me?r$<% <\wC%Y&.@@ ­6?RE_ 1 X x  IE  E 2  iB= d : N  6  wG KQ )+ }c ok}  }r `FGIN J M^ OS R Snp Tll Un|tR_M Vnt Wnn6 Xnr Ynqo Zns ^W _n\ aVVn bE c dE e fkk gny i __ jag9e E kXX~ lYYTER mNic  oz pae_AT qac\'__S rnd sab) } tn{ unu vai wad CZNNjvNN )1=NN^hNjvN )1=vN iX*NcNN=NT JN[  77 (( "" -- ' >> 11 JJ OO BB FF  UU} i Y 9 )  U's`'8 nam $6ssi  Kssi Wssi _ssi Bssi ssi     ssi  issi  -   \   ""E   !!ssi ssi ssi r cla ::2N[  NUL@0&& @0,, TIM@0(( @044 @011 @022 @055  cl@0''V @000E @0//  pf@0%% @0336 @0.. @0 ,, cla@0!))r @0"11 @0#22 urn@0$** e I@0%++! @0&--g#&e'y"(!$% UgZ" t: g Q Z8  d     +6AMW`NxNN  ]C> xnpc  npc npc BB~npc npc 1@npc@0npc@0M8!  v HK PS `c@npc ssnpc pplnpc uunpc vvnpc yy$npc zzLLAR {{Unpc ttnpc  qqnpc  rrnpc  wwnpc  xxct  }}ACE ~~mt i ||  U &b5, ;;   Q m          ! "T ' (n )z *+ + ,npc -ee .BB /AA 0 1 2CCnpc 3ffZ 4 6 83 9e : ;@ =z > ?11 @ A C E G H- K L] M N% O PF R?? SOMM TNNKcla U< Vlas Wwdef X CON Yuue = Z1LSI [_AC \lic ]AAne ^Spub _// w1 `% ak_NO be B cAND dSS=) R ey { fCH_ gb() h44 { i]]3e E j%%&GOR kEOPS l**R * mbli nttsx) o<<aUTO p id qrn rOCE sER_ tHH&UID u3) v' wssX_CR x AR yefi zmm3pub {ace |D@0c@0w@0)@0@0@0@0@0 33#@0JJ@0II@0RR@0QQW 44@0aa@0bb,wtuv,xzy{~,-Ju/Za y u4k  [iux u u u  ]iR{~uuS &U&Uii; Gi iii_ 6iR u uTx VMg;^Ut"I/oA/OZ}i 0 WW<NNNN }# x" i   ~npc   i  ..Ynpc ((npc 00npc npc npc npc FFnpc npc CCnpc DDnpc 88D!" MMW NN"npc #%% @0$% @0%: @0& @0'@0( )TT+M 1P$8*:!<">"Cs GIK]#N" ORRl#Q5$@0R#@0Syy$@0T}}$@0U~~#@0V||#@0Wzz#@0X{{ZQ"]_d$aMc!fnpc g##@0h#@0i6#@0j#@0k"@0lZ  mSS4!opnpcrp"t"ynpc~ !E#'anpcUnpc@0@0u@08 "@"! @0 @0 @0!@0 @0 !@0Y QQlN@TP/3420-1.P@?"=<>jQOPw^[ \Z_]ZUt S!j!~!!!!N;,"8"8N;W;WN} N"v#WWWWb";NN;;;W;"d ;;""; O#4>W;;N;WW<44E44;;`;$npc ==$npc $mX 00$npc JJ$npc ##%npc !! %npc 66%npc ))<%npc CC$%npc ::%npc --*%npc GG5%npc 88888S0%S0%  # * 1 ;ssi 11 +++ -- **  %%  ## w ssi   !! ^  ssi i   $$  {{M 55  ^^ q}z q{  q \\I q   aad @<D  @!: "q %=SQ (Vj )88? @,FO -qs @Aqxr B! Cq DYY/ Eq @G+ Hq| ssi  [ N[ @@O #  ssi > ssi@0 ssi@0kc 8  Wqq6 Xqw Yqvo Zqx ^hW _q\ aVVn bE c   dE e fll gq~ i jag9 kXX~ lYY mN oz paf qacd rab sq tqz uai vad CZNNjvNN )1=NN^hNjvN )1=vN iX* cl (- 3A  -ssi Kssi ssi %%0(ssi !!fssi ssi ssi  ssi =ssi  Yssi  rssi  ssi  E(ssi  $$7(ssi ""ssi ssi  00 11 //N[  $JM%TT.QR1OO|3HHB@04++h@05,,"cla@06**@07))0urn@08++T@09,,H@0:88g@0;99@0<<<*@0=77@0>55z@0?::@0@44@0A??@0B<<@0C==@0D>>@0E;;@0F66L(@0G@@j !p"h)'/&#$f(e.h%+,-*706Rk&D_{8 >(UZ8N +6AMW`3'Nx3'NN  ]C> x* ssi $/X  2B 2 ssi ? ssi  N[  ssi  ssi  ssi  ssi  ssi } ssi   ssi  "" ssi  !!L ssi  p ssi  d ssi X ssi  ssi  ssi  % @0,,G @0-. @0'( @0%% @0') @0*+6 B[@0-- @0%& @0'' @0** @088 @056 @0@@ @099u @0 34 @0!>> @0"55c @0#33@0$AA @0%??jphB%"$ph!#' &8 E ZU 0 g S x k _ 8       5  x *  C  N[  b  8}GSg @B!A! ׂ?  A$ Pw? )&$ @@$B ABTp?  PvH? #:  ngx?:: (%   , BB~e T pti 1@@0F@08 AxH?a-AHHR$P HH^?i$@J9w?#@%""zUUʤ9o9';9U0%0>9d$d@V@3 ViVh R*:kVR Me?r$<% <\w!  v HK PS `c@ ss ppl uu~ vv yy$V zzLcla {{U tt  qq  rr  wwr|  xx pf  }}NUL ~~mnam ||  U &ssi ;;   Q m          ! "T ' (n )z *+ + , -eessi .BBssi /AA 0 1ssi 2CC!x 3ff 4 6 83 9e : ;@ =z >ssi ?11 @ A C E G H- K L] M N% O PFssi R?? S TNNK U< V Ww X  Yuue I Z1 [ \ ]AA ^S _//cla `urn ak b c dSS= e f gb h44 i]]3 j%%& kE l**TIM m ntts o<<a p q r s tHH& u v wssX x y zmm3 { cl |D@0c@0w@0)@0@0@0@0@0 33#@0JJ@0II@0RR@0QQW 44@0aa@0bbNwtuvMxzy{~MNJu/Za y u4k  [iux u u u  ]iR{~uuS &U&Uii; Gi iii_ 6iR u uTx VMg;^Ut"I/oA/OZ}i 0 WW<NNNN  O D}#   4 #'] #/  B L & ^ T3q  ~ #3 <L [ ^ ' ! m iI )w \ )Q  "#4 w  W@ 9 Z dP }# x" i   ~ssi issi ssi ..Y ((X 00ssi ssi ssi ssi FFssi ssi CCssi DDssi 88"  MMW NNssi %% @0% @0: @0 @0@0 TT!M 'P$.*0!2"4"9s =?A]#D" ERRl#G5$@0H#@0Iyy$@0J}}$@0K~~#@0L||#@0Mzz#@0N{{PQ"SUd$WMY!\ssi ]##@0^#@0_6#@0`#@0a"@0bZ  cSS4!epssihp"j"ossit v!xE#{'assiUssi@0@0u@08 "@"! @0 @0 @0!@0 @0 !@0Y QQU-120./,>=";:<OMN@\Y ZX][ZUt N;,"8"8N;W;WN} N"v#WWWWb";NN;;;W;"d ;;""; O#4>W;;N;WW<44E44;;`kW C%D:\passive\p0f\WIN32-Prj\p0f.NET.vcproj|Debug|Win32D:\passive\p0f\WIN32-Prj\p0f.NET.vcproj|Release|Win32d:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\vcpackages\prebuilt.ncbd:\passive\p0f\WIN32-Code\getopt.c"getopt.h"opterrintgetoptint argcchar *argv[]char *opstringoptargchar *optindd:\passive\p0f\p0f.c"config.h""types.h""tcp.h""mtu.h""tos.h""fpentry.h""p0f-query.h"MSG_NOSIGNAL0pfataldo { debug("[-] ERROR: "); perror(); exit(1); } while (0)xSIGHASH(( (_u8) ((() << 1) ^ (() << 1) ^ () ^ () )) & 0x0f)tsizeoptcntqdfMY_MAXDNS32GET16((_u16) *((_u8*)()+0) << 8 | (_u16) *((_u8*)()+1) )pput_datevoidmainchar **argvdebug_u8 *format...use_cache_u8 *query_cache_u32mode_oneline_u8use_logfilest_timeno_extrafind_masquse_ruledisplay_signature_u8 ttCPOPT_MAXSEGTCPOPT_WSCALETCPOPT_SACKOK4TCPOPT_TIMESTAMP8IP_DF0x4000IP_MF0x2000TH_FIN0x01TH_SYN0x02TH_RST0x04TH_PUSH0x08TH_ACK0x10TH_URG0x20TH_ECE0x40TH_CWR0x80ip_headerip_header::ihlip_header::tosip_header::tot_lenip_header::idip_header::offip_header::ttlip_header::protoip_header::cksumip_header::saddrip_header::daddrtcp_headertcp_header::sporttcp_header::dporttcp_header::seqtcp_header::acktcp_header::_x2unsigned int %: 4tcp_header::dofftcp_header::flagstcp_header::wintcp_header::cksumtcp_header::urgd:\passive\p0f\types.h_HAVE_TYPES_H_s8signed charunsigned short_u64unsigned __int64_s16shortunsigned char_s64__int64unsigned intRelease|Win32__NcbPseudoTarget__d:\passive\p0f\p0f-query.h_HAVE_P0FQUERY_HQUERY_MAGIC0x0defacedNO_SCORE-100D_GENRE0x0001D_DETAIL0x0002D_LINK0x0004D_DIST0x0008D_NAT0x0010D_FW0x0020D_NAT2_10x0040D_FW2_10x0080D_NAT2_20x0100D_FW2_20x0200D_FAR0x0400RESP_OKRESP_BADQUERYRESP_NOMATCHp0f_handlequery_s32 sockp0f_query *qp0f_queryp0f_query::magicp0f_query::idp0f_query::src_adp0f_query::dst_adp0f_query::src_portp0f_query::dst_portp0f_initcache_u32 csizp0f_descmasqp0f_findmasq_u32 sad_u8 *genre_s8 dist_u8 nat_u8 fw_u32 signop0f_responsep0f_response::magicp0f_response::idp0f_response::typep0f_response::genre_u8 %[20]p0f_response::detail_u8 %[40]p0f_response::distp0f_response::link_u8 %[30]p0f_response::tosp0f_response::fwp0f_response::natp0f_response::realp0f_response::scorep0f_response::mflagsp0f_addcache_u32 saddr_u32 daddr_u16 sport_u16 dport_u8 *detail_u8 *link_u8 *tos_u8 reald:\passive\p0f\tos.h_HAVE_TOS_HTOS_CNT(sizeof(tos) / sizeof(struct tos_def))tostos_def %[]tos_deftos_def::tostos_def::descd:\winpcap\wpcap\libpcap\bpf\net\bpf.hBPF_RELEASE199606BPF_ALIGNMENTsizeof(bpf_int32)BPF_WORDALIGN((()+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))BPF_MAXINSNS512BPF_MAXBUFSIZE0x8000BPF_MINBUFSIZEBPF_MAJOR_VERSIONBPF_MINOR_VERSIONBIOCGBLEN_IOR(B,102, u_int)BIOCSBLEN_IOWR(B,102, u_int)BIOCSETF_IOW(B,103, struct bpf_program)BIOCFLUSH_IO(B,104)BIOCPROMISC_IO(B,105)BIOCGDLT_IOR(B,106, u_int)BIOCGETIF_IOR(B,107, struct ifreq)BIOCSETIF_IOW(B,108, struct ifreq)BIOCSRTIMEOUT_IOW(B,109, struct timeval)BIOCGRTIMEOUT_IOR(B,110, struct timeval)BIOCGSTATS_IOR(B,111, struct bpf_stat)BIOCIMMEDIATE_IOW(B,112, u_int)BIOCVERSION_IOR(B,113, struct bpf_version)BIOCSTCPF_IOW(B,114, struct bpf_program)BIOCSUDPF_IOW(B,115, struct bpf_program)SIZEOF_BPF_HDR18DLT_NULLDLT_EN10MBDLT_EN3MBDLT_AX25DLT_PRONETDLT_CHAOS5DLT_IEEE8026DLT_ARCNET7DLT_SLIPDLT_PPP9DLT_FDDI10DLT_ATM_RFC148311DLT_RAW12DLT_SLIP_BSDOS13DLT_PPP_BSDOS14DLT_ATM_CLIP19DLT_PPP_SERIAL50DLT_PPP_ETHER51DLT_C_HDLC104DLT_CHDLCDLT_IEEE802_11105DLT_FRELAY107DLT_LOOP108DLT_LINUX_SLL113DLT_LTALK114DLT_ECONET115DLT_IPFILTER116DLT_PFLOG117DLT_CISCO_IOS118DLT_PRISM_HEADER119DLT_AIRONET_HEADER120DLT_HHDLC121DLT_IP_OVER_FC122DLT_SUNATM123DLT_RIO124DLT_PCI_EXP125DLT_AURORA126DLT_IEEE802_11_RADIO127DLT_TZSPDLT_ARCNET_LINUX129BPF_CLASS(() & 0x07)codeBPF_LD0x00BPF_LDXBPF_STBPF_STX0x03BPF_ALUBPF_JMP0x05BPF_RET0x06BPF_MISC0x07BPF_SIZE(() & 0x18)BPF_WBPF_HBPF_BBPF_MODE(() & 0xe0)BPF_IMMBPF_ABSBPF_INDBPF_MEM0x60BPF_LENBPF_MSH0xa0BPF_OP(() & 0xf0)BPF_ADDBPF_SUBBPF_MULBPF_DIV0x30BPF_ORBPF_AND0x50BPF_LSHBPF_RSH0x70BPF_NEGBPF_JABPF_JEQBPF_JGTBPF_JGEBPF_JSETBPF_SRC(() & 0x08)BPF_KBPF_XBPF_RVALBPF_ABPF_MISCOP(() & 0xf8)BPF_TAXBPF_TXABPF_STMT{ (u_short)(), 0, 0,  }kBPF_JUMP{ (u_short)(), , ,  }jtjfBPF_MEMWORDSbpf_insnbpf_insn::codeu_shortbpf_insn::jtu_charbpf_insn::jfbpf_insn::kbpf_int32bpf_statbpf_stat::bs_recvu_intbpf_stat::bs_dropbpf_mtapbpf_hdrbpf_hdr::bh_tstamptimevalbpf_hdr::bh_caplenbpf_u_int32bpf_hdr::bh_datalenbpf_hdr::bh_hdrlenbpfilterattachbpf_tapbpf_filterbpf_insn *u_char *bpf_versionbpf_version::bv_majorbpf_version::bv_minorbpf_validatebpfattachbpf_program::bf_lenbpf_program::bf_insnsd:\winpcap\wpcap\libpcap\pcap.h"remote-ext.h"lib_pcap_hSOCKETPCAP_VERSION_MAJORPCAP_VERSION_MINORPCAP_ERRBUF_SIZE256PCAP_IF_LOOPBACKMODE_CAPTMODE_STATMODE_MONpcap_handlervoid (*%)(u_char *, const struct pcap_pkthdr *, const u_char *)pcap_perrorpcap_open_deadpcap_list_datalinksint ** pcap_looppcap_open_liveconst char *pcap_filenopcap_freealldevspcap_if_t *pcap_set_datalinkpcap_closepcap_setfilterbpf_program *pcap_open_offlinepcap_next_expcap_t *ppcap_pkthdr **pkt_headeru_char **pkt_datapcap_pkthdrpcap_pkthdr::tspcap_pkthdr::caplenpcap_pkthdr::lenpcap_sendpacketu_char *bufint sizepcap_addr_tstruct pcap_addrpcap_dump_flushbpf_imagepcap_setmodeint modepcap_strerrorpcap_datalinkpcap_setbuffint dimpcap_geterrpcap_tstruct pcappcap_win32strerrordup_sockaddrsockaddr *sockaddr *sasize_t sa_lengthpcap_dump_closepcap_statspcap_stat *pcap_addrpcap_addr::nextpcap_addr *pcap_addr::addrpcap_addr::netmaskpcap_addr::broadaddrpcap_addr::dstaddrpcap_compilepcap_if_tstruct pcap_ifpcap_dumpconst pcap_pkthdr *const u_char *pcap_major_versionpcap_statpcap_stat::ps_recvpcap_stat::ps_droppcap_stat::ps_ifdroppcap_stat::ps_captpcap_stat::ps_sentpcap_stat::ps_netdroppcap_is_swappedadd_or_find_ifpcap_if_t **curdev_retpcap_if_t **alldevsconst char *nameu_int flagsconst char *descriptionchar *errbufpcap_getnonblockpcap_datalink_name_to_valpcap_minor_versionpcap_snapshotpcap_setmintocopypcap_dispatchbpf_insn *fint lenpcap_setnonblockpcap_findalldevspcap_if_t ** pcap_lookupdevpcap_datalink_val_to_namepcap_dumper_tstruct pcap_dumperpcap_lookupnetbpf_u_int32 *bpf_dumppcap_ifpcap_if::nextpcap_if *pcap_if::namepcap_if::descriptionpcap_if::addressespcap_if::flagspcap_nextpcap_pkthdr *pcap_dump_openpcap_fileFILE *pcap_file_headerpcap_file_header::magicpcap_file_header::version_majorpcap_file_header::version_minorpcap_file_headBI     #: :: ca-AHHR$P HH^?i$@J9w?#@%""zUUʤ9o9';9U0%0>9d$d@V@3 ViVh R*:kVR Me?r$<% <\wC%Y&RE&B  G?'Y&0@@ ­6'??'\'Vw0ho=B (?f''>- J,?' )&$ @@$B Ao?' G?'  ? (L(1G d '?_Ia((%H$)"$""B!"D`T?la~(  AG?ef($@Jv?#d(#@%""zUUʤ9o9';9U>TR(d$a@V@3 iVhR*:kVR > Dx ,"## V i5i"  ~1}#d D!T ;o9A"4|E f " ! _ e >% %$)2O  ~5$%$ <%$x*C$ bz @l$LUmU&Qm!Tnz+3e@zv-]%WF9&%IJ%-Kf=Yrd$%K<w 1Sk=b3&Esa&X3Q?%r !/+%2 ? ^SKW_BM [ t6o*%4B|W"}#"Z i Y\nEEM&  i- \ E r }^%Y&9~%YiX    } L p d X 5%Nzd9J=>"Aa_W|_KszOt g>8~Njiv-h=b5c<~  *#"  5% T % <%  b@ R n H  \ x'  ^% I Y > R @ g!  4&a 4 ", U z%3`   ! E % Eb  l %F !. EE  +; -B  +2SU S6 6< "  b^ ?*d#EC  "   (se % NMT& -  "@ % zN   S % )^5 % F  #? E %  j o>*% #= 9z2 0 :  J \ ' % ? HQ  ##< x Lr Z L - &  ;6#> СX ?Z A  _ +& = z d  SKp %p +& y Y }  m 9& { 3 fd g$ M&   r  O D}# Y&   4 #'] #/  B L & ^ T3q  ~ #3 <L [ ^o ' ! m i oI )w \ )Q  "#4 w  W@ 9 Z dPDt ! (n(  nBJx֤  #2 t: !_ z) Wg  Y~KA  6 ! cu դC I !] i /E $0 %   wv $  V } 6 <  $1 i  =G "3 uQ r $O05$. ? o1X r  ; O c %B$ %c G & P  V u "@# T GW 5 Gr ) $ P h  FH  &k #  + 1Q  | 3 &=[  ?(o/ 8KK  +* MD*  /0Xn 36   !. \A9Jaf @9 kX #~ #- $ wN Q(U $ 2  ']D 1 e7 l $ B  m , o Kr-$ v z: Y &W2 g  "_&$ i + i 7 M = % $O  % ,Yb ~ 8 i 5% [  % ,  ! C $% h # *% &   |              k&D:\passive\p0f\WIN32-Prj\p0f.NET.vcproj|Debug|Win32D:\passive\p0f\WIN32-Prj\p0f.NET.vcproj|Release|Win32d:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\vcpackages\prebuilt.ncbd:\passive\p0f\WIN32-Code\getopt.c"getopt.h"opterrintgetoptint argcchar *argv[]char *opstringoptargchar *optindd:\passive\p0f\p0f.c"config.h""types.h""tcp.h""mtu.h""tos.h""fpentry.h""p0f-query.h"MSG_NOSIGNAL0pfataldo { debug("[-] ERROR: "); perror(); exit(1); } while (0)xSIGHASH(( (_u8) ((() << 1) ^ (() << 1) ^ () ^ () )) & 0x0f)tsizeoptcntqdfMY_MAXDNS32GET16((_u16) *((_u8*)()+0) << 8 | (_u16) *((_u8*)()+1) )pput_datevoidmainchar **argvdebug_u8 *format...use_cache_u8 *query_cache_u32mode_oneline_u8use_logfilest_timeno_extrafind_masquse_ruledisplay_signature_u8 tter::thiszonepcap_file_header::sigfigspcap_file_header::snaplenpcap_file_header::linktypepcap_compile_nopcappcap_freecoded:\program files\microsoft visual studio .net 2003\vc7\include\sys\types.h_INC_TYPES_TIME_T_DEFINED_INO_T_DEFINED_DEV_T_DEFINED_OFF_T_DEFINEDino_t_dev_t_ino_t__time64_tdev_toff_tlongtime_t_off_td:\passive\p0f\p0f-query.cSAD_HASH(((() << 16) ^ (() << 8) ^ ()))aSUBMOD(() < 0 ? (() + ()) : ())valmaxcur_cflagscache_datacache_data::sadcache_data::dadcache_data::portscache_data::signocache_data::msscache_data::sccache_data (*%)[]QUERY_CACHEscoreDebug|Win32=N  E ? 6 yNi# d$"  %kg_ {;2%E  Ms ),"h@}#"  u &4c B^ _6 c!% ! !g%~  oW IM& &$[ TX Q ##%S/#!V "$5$d W~k %"  S/[4!tu&66$6#} S X  %Q5%W / h!%l#Q";&TD! EUv#%lw ]$YT %bGjeEl ] i 9C% AO#}^kOo?3* -   r +~!#&-*%5]#`K~ m9J  D*%% 1Zv 5 4A -}:   Y"*zsWu3%iBg S!" B dup Iaw /M )izMO j!+& irL!_& p"&= bp: d i=c  &vU} T"0%~!E  98`d ZUg ;IF0 Vi6 =X Y&'"%n9& M #%RcCa % Md8"z: r  r$ K m" =$6 @"=D$? + ;G  "<#^%iR+%G+H% t@uaJ#"g $%SQ>_ xY !}` "wE#<z ${$ K|Eb"0n EW4!! X 11 x )YtU"#%i&\ !zP$ ^ 3]<%^\rZ s!L C>2  #f8 %* kU8" 3 C% %$)2O  ~5$%$ <%$x*C$ bz @l$LUmU&Qm!Tnz+3e@zv-]%WF9&%IJ%-K0(f=YrE(7(d$%K<w 1Sk=b3&Esa&X3Q?%r !/+%2 ? ^S'KW_BM [ t6o*%4B|W"}#"Z i Y\nEEM&  i- \ E r }^%Y&9~%YiX    } L p d X 5%Nz\'d9J=>"Aa_W|_KszOt g>8~Njiv/h=b5c<~ 0K\*DZHQ\K\5% hT\xQ\<% I\b(S\ HT\r[K\HDZ T\0(xQ\J\ 7(^% S\T\S\S @`I\E(gDZPJ\J\L(04&8U\hR\"K\UI\zDZ3(U\ J\!J\xS\ % EHU\J\lI\%S\!. EE 0NXEZ L\-HS\K\+2SxT\S6 6< DZ I\bU\?*d#EC @K\"PV\  (EZsxU\%NMTQ\-  "pL\%6XzN  `K\XT\%8EZ^5J\%t[F  #`L\E % PK\>\o>HEZ%#@L\9z2 5X(R\: pK\S\\ EZJ\%? HRx5Xu[##0L\p?\Lx\r T\L -8?N &;6#PL\aX ?Z L\ U\+&=5X?\ d I\TK(?N?\ %p +&?\Y5X}  >\ 9&?\3 f[hU\I[$I\M&    r5X\ T\D}#?XY&  ?\4X5X #'T\ #K\ pV\B5X LI\ &?\ L\U3?\h5X~N #L\ <S\ L\^EZ 'N[!s[ m@J\i?NI )`?\ L\)5XQP\ "#L\w  5XW@ 9 L\ 5XdQD0?\! (nQ\NnBJFZ  J\#K\t: ! M\zQ\W V Y~K8S\ 6 !8Xc@?\\#Q\ ?\+ 18T\ `J\|3\'PQ\ &=T\K\ ?\3R\?\ !R\\A9JaU\@R\kT\#W' #Q\$ wT\Q(UpJ\$ 2  ']hS\8R\eR\>\$ B  mP\Q\>\Kr-$ l[v(O\zR\Yt[&WHR\U\P\"_EZ$ iJ\Q\i 7pI\S\R\% DZO  % ,YM\~J\R\>\5% [  % hEZ(Q\I\8Q\C K\$% >\XQ\*%  #&" " T T% % @ @R R  #\ \' ' I IY Y> > !$  a a4 4, * %(` `  E Eb b  F F +.; 9B B U U"% ^ ^  (+e e& &@ > S S), ? = j j*-= ;0 0 J J'*    < :x x  Z Z> <A ?_ _  z z p py y  m m{ {d d|  |   O O   ] ]/ -   ^ \q q   3 1L L[ Y   w w\ Z 4 2Z Xt t( (   2 0_ ]) )  A A u uC C ] [0 .  v v$ $  < <1 / 3 3Q O!. ,? ?  r r; ;O Mc cG G P N V V " W W5 5  P PH Hk k  Q Q  [ [ / /K K* * n n6 6 . .f f9 9X X~ ~- -N N D D1 17 7l l , ,o o : : 2 2g g &) + + M M= =$'b ` 8 8i i,/  ! ! h h# #(D:\passive\p0f\WIN32-Prj\p0f.NET.vcproj|Debug|Win32D:\passive\p0f\WIN32-Prj\p0f.NET.vcproj|Release|Win32d:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\vcpackages\prebuilt.ncbd:\passive\p0f\WIN32-Code\getopt.c"getopt.h"opterrintgetoptint argcchar *argv[]char *opstringoptargchar *optindd:\passive\p0f\p0f.c"config.h""types.h""tcp.h""mtu.h""tos.h""fpentry.h""p0f-query.h"MSG_NOSIGNAL0pfataldo { debug("[-] ERROR: "); perror(); exit(1); } while (0)xSIGHASH(( (_u8) ((() << 1) ^ (() << 1) ^ () ^ () )) & 0x0f)tsizeoptcntqdfMY_MAXDNS32GET16((_u16) *((_u8*)()+0) << 8 | (_u16) *((_u8*)()+1) )pput_datevoidmainchar **argvdebug_u8 *format...use_cache_u8 *query_cache_u32mode_oneline_u8use_logfilest_timeno_extrafind_masquse_ruledisplay_signature_u8 tter::thiszonepcap_file_header::sigfigspcap_file_header::snaplenpcap_file_header::linktypepcap_compile_nopcappcap_freecoded:\program files\microsoft visual studio .net 2003\vc7\include\sys\types.h_INC_TYPES_TIME_T_DEFINED_INO_T_DEFINED_DEV_T_DEFINED_OFF_T_DEFINEDino_t_dev_t_ino_t__time64_tdev_toff_tlongtime_t_off_td:\passive\p0f\p0f-query.cSAD_HASH(((() << 16) ^ (() << 8) ^ ()))aSUBMOD(() < 0 ? (() + ()) : ())valmaxcur_cflagscache_datacache_data::sadcache_data::dadcache_data::portscache_data::signocache_data::msscache_data::sccache_data (*%)[]QUERY_CACHEscoreDebug|Win32D:\passive\p0f-new\p0f\WIN32-Prj\p0f.NET.vcproj|Debug|Win32D:\passive\p0f-new\p0f\WIN32-Prj\p0f.NET.vcproj|Release|Win32d:\passive\p0f-new\p0f\WIN32-Code\getopt.cd:\passive\p0f-new\p0f\p0f-query.c_s32 uptimed:\passive\p0f-new\p0f\p0f.cuse_fuzzyd:\passive\p0f-new\p0f\config.h"2.0.4-beta1"MAX_TIMEDIF600d:\passive\p0f-new\p0f\fpentry.hd:\passive\p0f-new\p0f\WIN32-Code\getopt.hd:\passive\p0f-new\p0f\mtu.hd:\passive\p0f-new\p0f\p0f-query.hD_FASTD_TNEG0x0800D_TIMEp0f_response::uptimed:\passive\p0f-new\p0f\tcp.hd:\passive\p0f-new\p0f\types.hd:\passive\p0f-new\p0f\tos.hd:\wpdpack\include\net\bpf.hd:\wpdpack\include\pcap.h=N  E ? 6 yNi# d$"  %kg_ {;2%E  Ms ),"h@}#"  u &4c B^ _6 c!% ! !g%~  oW IM& &'$[ Tk&X Q (L( ##%S/#!V &"$5$d W&~k %"  S/[4'!tu&66$6#} S X  %Q5%W / h!%l#Q";&TD! EUv#%lw ]$YT %bGjeEl ] 7(i 9C% AO#}^kOo?3* - f'  r +~!#&-*%5]#`K~' m9J  D*%% 1Zv 5 4A -}:   Y"*z'>(~(sWu3%iBg S!" B dup Iaw /M )iz\'MO j!+& irL!_& p"&= bp: d i=c  &vU} T"0%~!E  98`d ZUg ;IF0 Vi6 =X Y&'"(%n9& M #%RcCa % Md8"z: r E( r$ K m" =$6 '@"=D$? + ;G  "0(<#^%iR+%G+H% t@uaJ#"g $%3'SQ>(_ xY !}` "wE#<z ${$ K|Eb"0n EW4!! ?'X 11 x ')YtU"#%i&\ !zP$ ^ 3]<%^\r(Z s!L C>'a(2  #f8 %* kU8" 39.1؂?K%LkOl/names/ncb/targetinfo/ncb/moduleinfo/ncb/storeinfo/ncb/iinstdefs/ncb/referenceInfo/ncb/module/d:\passive\p0f\WIN32-Code\getopt.c/ncb/module/d:\passive\p0f\p0f.c/ncb/module/d:\passive\p0f\config.h/ncb/module/d:\passive\p0f\fpentry.h/ncb/module/d:\passive\p0f\WIN32-Code\getopt.h/ncb/module/d:\passive\p0f\mtu.h/ncb/module/d:\passive\p0f\tcp.h/ncb/module/d:\passive\p0f\types.h/ncb/versioninfo/ncb/module/d:\passive\p0f\p0f-query.h/ncb/module/d:\passive\p0f\tos.h/ncb/module/d:\winpcap\wpcap\libpcap\bpf\net\bpf.h/ncb/module/d:\winpcap\wpcap\libpcap\pcap.h/ncb/module/d:\program files\microsoft visual studio .net 2003\vc7\include\sys\types.h/ncb/target/__NcbPseudoTarget__/ncb/module/d:\passive\p0f\p0f-query.c/ncb/module/d:\passive\p0f-new\p0f\WIN32-Code\getopt.c/ncb/module/d:\passive\p0f-new\p0f\p0f-query.c/ncb/module/d:\passive\p0f-new\p0f\p0f.c/ncb/module/d:\passive\p0f-new\p0f\config.h/ncb/module/d:\passive\p0f-new\p0f\fpentry.h/ncb/module/d:\passive\p0f-new\p0f\WIN32-Code\getopt.h/ncb/module/d:\passive\p0f-new\p0f\mtu.h/ncb/module/d:\passive\p0f-new\p0f\p0f-query.h/ncb/module/d:\passive\p0f-new\p0f\tcp.h/ncb/module/d:\passive\p0f-new\p0f\types.h/ncb/module/d:\passive\p0f-new\p0f\tos.h/ncb/module/d:\wpdpack\include\net\bpf.h/ncb/module/d:\wpdpack\include\pcap.h#FeDC<{# $A #!AbE R" ' &%X  6=j'PvA #|@L < 8@@L pqg@ABCDEhijklmno?FGHIJ=\]^_`abcde f%&'()*+,->  !"#$./0123456789:;<rp0f/WIN32-Prj/p0f.NET.sln0100644000175100017500000000160307740355542014321 0ustar lcamtufusersMicrosoft Visual Studio Solution File, Format Version 8.00 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "p0f", "p0f.NET.vcproj", "{AF72F57C-D302-40E6-9859-1F98A123F6EE}" ProjectSection(ProjectDependencies) = postProject EndProjectSection EndProject Global GlobalSection(SolutionConfiguration) = preSolution Debug = Debug Release = Release EndGlobalSection GlobalSection(ProjectConfiguration) = postSolution {AF72F57C-D302-40E6-9859-1F98A123F6EE}.Debug.ActiveCfg = Debug|Win32 {AF72F57C-D302-40E6-9859-1F98A123F6EE}.Debug.Build.0 = Debug|Win32 {AF72F57C-D302-40E6-9859-1F98A123F6EE}.Release.ActiveCfg = Release|Win32 {AF72F57C-D302-40E6-9859-1F98A123F6EE}.Release.Build.0 = Release|Win32 EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution EndGlobalSection GlobalSection(ExtensibilityAddIns) = postSolution EndGlobalSection EndGlobal p0f/WIN32-Prj/p0f.NET.suo0100644000175100017500000002500007751125300014315 0ustar lcamtufusersࡱ>  Root Entry @YProjInfoExTaskListUserTasks$IVSMDPropertyBrowser*X Y1< "#>%&'()*+,-./23456789:;=?ZVrQ\K7=C Data XML Schema Dialog EditorMobile Web Forms Web Forms Components Windows FormsHTMLClipboard RingGeneralDD:\passive\p0f-new\p0f\WIN32IToolboxService DebuggerWatches DebuggerBreakpoints( PDebuggerExceptions&DebuggerFindSource& DebuggerFindSymbol&DebuggerMemoryWindows,TExternalFilesProjectContents: d:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\crt\src\d:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\atlmfc\src\mfc\d:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\atlmfc\src\atl\d:\Program Files\Microsoft Visuad% ';4<4 {AF7ͫ4ᆳͫ4ᆳMultiStartupProj=;4{AF72F57C-D302-40E6-9859-1F98A123F6EE}.dwStartupOpt=;StartupProjDocumentWindowPositions0 DocumentWindowUserData.<SolutionConfiguration,ObjMgrContentsPect=&{AF72F57C-D302-40E6-9859-1F98A123F6EE};?{AF72F57C-D302-40E6-9859-1F98A123F6EE}.Release|Win32.fBatchBld=;={AF72F57C-D302-40E6-9859-1F98A123F6EE}.Debug|Win32.fBatchBld=;4{A2FE74E1-B743-11D0-AE1A-00A0C90FFFC3NSܾ M%;%ү##G}'bm4l #O¤Ep0fQ `D:\passive\p0f-new\p0f\WIN32-Prj\p0f.NET.vcproj`D:\passive\p0f-new\p0f\WIN32-Prj\p0f.NET.vDebug|Win32DebugSettings... ....... .,GeneralConfigSettingsVCBscMakeTClassViewContents$ProjExplorerState$!UnloadedProjects"p0f$ool (.\Debug/p0f.NET.bsc(EndConfigPropertiesRelease|Win32DebugSettings... ....... .,GeneralConfigSettingsVCBscMakeTool ,.\Release/p0f.NET.bsc(EndConfigPropertiesTaskListShortcuts$0X 2F57C-D302-40E6-9859-1F98A123F6EE}|p0f.NET.vcproj|d:\passive\p0f-new\p0f\p0f.c||{8B382828-6202-11D1-8870-0000F87579D2}% (;4<4 `{A2FE74E1-B743-11D0-AE1A-00A0C90FFFC3}|<MiscFiles>|d:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\WSPiApi.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}123456proj|d:\passive\p0f\p0f.c||{8B3}.dwStartupOpt=; ActiveCfg=Release;j"5|L{AF72FcprojSource FilesHeader Fileseader Files57C-D302-40E6-9859-1F98A123F6EE}|p0f.NET.vcproj|d:\passive\p0f\p0f-query.c||{8B382828-6202-11D1-8870-0000F87579D2}1234 %j"5|L{AF72F57C-D302-40E6-9859-1F98A123F6EE}|p0f.NET.vcproj|d:\passive\p0f\WIN32-Code\getopt.c||{8B382828-6202-11D1-8870-0000F87579D2}1234 &j"5|L{AF72F57C-D302-40E6-9859-1F98A123F6EE}|p0f.NET.vcproj|d:\passive\p0f\p0f-query.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}1234 'j"5|L{AF72F57C-D302-40E6-9859-1F98A123F6EE}|p0f.NET.vcproj|d:\passive\p0f\config.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}12 (j"5|L{AF72F57C-D302-40E6-9859-1F98A123F6EE}|p0f.NET.vcproj|d:\passive\p0f\types.h||{D0E1A5C6-B359-4E41-9B60-3365922C2A22}1234ͫ4ᆳHIͫ4ᆳ ͫ4ᆳ ͫ4ᆳ-Prj\l Studio .NET 2003\Vc7\PlatformSDK\Include\WSPiApi.h<open> p0f/WIN32-Prj/p0f.NET.vcproj0100644000175100017500000001300207751124662015023 0ustar lcamtufusers p0f/WIN32-Prj/p0f.opt0100644000175100017500000014300007740406256013677 0ustar lcamtufusersࡱ>   I"#$%&'()*,-./012346789:;<=>@ABCDEFGHKLMNOPQRSUVWXYZ[\]^_`aRoot Entry`*0Workspace State Browser Editorp0f D:\passive\p0f\WIN32-Prj\p0f.dsp---------------Configuration: p0f - Win32 Release--------------------

Command Lines

Creating temporary file "D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" with contents [ /nologo /ML /W3 /GX /O2 /I "..\\" /I "..\WIN32-Code" /I "..\..\Wpdpack\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Release/p0f.pch" /YX /Fo"Release/" /Fd"Release/" /FD /c "D:\passive\p0f\p0f-query.c" ] Creating command line "cl.exe @D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" Creating command line "link.exe ws2_32.lib ..\..\WPdpack\Lib\wpcap.lib Advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"Release/p0f.pdb" /machine:I386 /out:"Release/p0f.exe" ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling... p0f-query.c Linking...

Results

p0f.exe - 0 error(s), 0 warning(s) ; #define END_DUAL_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define END_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define EXTERN_PROCESS_LOCAL(class_name, ident_name) extern AFX_DATA PROCESS_LOCAL(class_name, ident_name) #define EXT_SNAPINMENUID(id) #define IMPLEMENT_DUAL_ERRORINFO(objectClass, riidSource) #define IMPLEMENT_DYNAMIC(class_name, base_class_name) #define IMPLEMENT_DYNCREATE(class_name, base_class_name) #define IMPLEMENT_OLECREATE(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECREATE_EX(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECTLTYPE(class_name, idsUserTypeName, dwOleMisc) #define IMPLEMENT_OLETYPELIB(class_name, tlid, wVerMajor, wVerMinor) #define IMPLEMENT_SERIAL(class_name, base_class_name, wSchema) #define INIT_INTERFACE_PART(theClass, localClass) #define PROCESS_LOCAL(class_name, ident_name) AFX_DATADEF CProcessLocal ident_name; #define PURE = 0 #define SNAPINMENUID(id) #define THIS void #define THIS_ #define TRLY try { #define CATCH(class_name, e) } catch (class_name * e) { #define AND_CATCH(class_name, e) } catch (class_name * e) { #define END_CATCH } #define CATCH_ALL(e) } catch (CException* e) { #define AND_CATCH_ALL(e) } catch (CException* e) { #define END_CATCH_ALL } #define BEGIN_COLUMN_MAP(x) class __NCB__COLUMN_##x : public COLUMN { #define END_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x,\passive\p0f\WIN32-Prj\p0f.dsp---------------Configuration: p0f - Win32 Release--------------------

Command Lines

Creating temporary file "D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" with contents [ /nologo /ML /W3 /GX /O2 /I "..\\" /I "..\WIN32-Code" /I "..\..\Wpdpack\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Release/p0f.pch" /YX /Fo"Release/" /Fd"Release/" /FD /c "D:\passive\p0f\p0f-query.c" ] Creating command line "cl.exe @D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" Creating command line "link.exe ws2_32.lib ..\..\WPdpack\Lib\wpcap.lib Advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"Release/p0f.pdb" /machine:I386 /out:"Release/p0f.exe" ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling... p0f-query.c Linking...

Results

p0f.exe - 0 error(s), 0 warning(s) ; #define END_DUAL_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define END_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define EXTERN_PROCESS_LOCAL(class_name, ident_name) extern AFX_DATA PROCESS_LOCAL(class_name, ident_name) #define EXT_SNAPINMENUID(id) #define IMPLEMENT_DUAL_ERRORINFO(objectClass, riidSource) #define IMPLEMENT_DYNAMIC(class_name, base_class_name) #define IMPLEMENT_DYNCREATE(class_name, base_class_name) #define IMPLEMENT_OLECREATE(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECREATE_EX(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECTLTYPE(class_name, idsUserTypeName, dwOleMisc) #define IMPLEMENT_OLETYPELIB(class_name, tlid, wVerMajor, wVerMinor) #define IMPLEMENT_SERIAL(class_name, base_class_name, wSchema) #define INIT_INTERFACE_PART(theClass, localClass) #define PROCESS_LOCAL(class_name, ident_name) AFX_DATADEF CProcessLocal ident_name; #define PURE = 0 #define SNAPINMENUID(id) #define THIS void #define THIS_ #define TRLY try { #define CATCH(class_name, e) } catch (class_name * e) { #define AND_CATCH(class_name, e) } catch (class_name * e) { #define END_CATCH } #define CATCH_ALL(e) } catch (CException* e) { #define AND_CATCH_ALL(e) } catch (CException* e) { #define END_CATCH_ALL } #define BEGIN_COLUMN_MAP(x) class __NCB__COLUMN_##x : public COLUMN { #define END_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x,MLJL\passive\p0f\WIN32-Prj\p0f.dsp---------------Configuration: p0f - Win32 Release--------------------

Command Lines

Creating temporary file "D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" with contents [ /nologo /ML /W3 /GX /O2 /I "..\\" /I "..\WIN32-Code" /I "..\..\Wpdpack\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Release/p0f.pch" /YX /Fo"Release/" /Fd"Release/" /FD /c "D:\passive\p0f\p0f-query.c" ] Creating command line "cl.exe @D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" Creating command line "link.exe ws2_32.lib ..\..\WPdpack\Lib\wpcap.lib Advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"Release/p0f.pdb" /machine:I386 /out:"Release/p0f.exe" ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling... p0f-query.c Linking...

Results

p0f.exe - 0 error(s), 0 warning(s) ; #define END_DUAL_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define END_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define EXTERN_PROCESS_LOCAL(class_name, ident_name) extern AFX_DATA PROCESS_LOCAL(class_name, ident_name) #define EXT_SNAPINMENUID(id) #define IMPLEMENT_DUAL_ERRORINFO(objectClass, riidSource) #define IMPLEMENT_DYNAMIC(class_name, base_class_name) #define IMPLEMENT_DYNCREATE(class_name, base_class_name) #define IMPLEMENT_OLECREATE(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECREATE_EX(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECTLTYPE(class_name, idsUserTypeName, dwOleMisc) #define IMPLEMENT_OLETYPELIB(class_name, tlid, wVerMajor, wVerMinor) #define IMPLEMENT_SERIAL(class_name, base_class_name, wSchema) #define INIT_INTERFACE_PART(theClass, localClass) #define PROCESS_LOCAL(class_name, ident_name) AFX_DATADEF CProcessLocal ident_name; #define PURE = 0 #define SNAPINMENUID(id) #define THIS void #define THIS_ #define TRLY try { #define CATCH(class_name, e) } catch (class_name * e) { #define AND_CATCH(class_name, e) } catch (class_name * e) { #define END_CATCH } #define CATCH_ALL(e) } catch (CException* e) { #define AND_CATCH_ALL(e) } catch (CException* e) { #define END_CATCH_ALL } #define BEGIN_COLUMN_MAP(x) class __NCB__COLUMN_##x : public COLUMN { #define END_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x,Workspace Window"!IPI_p0f+IPI_ 5ClassView Window"?p0f ClassView p0f classesGlobalsGlobalsGlobals p0f classesFileViewWorkspace 'p0f': 1 project(s) p0f files Source Files Header Files p0f files p0f filesWorkspace 'p0f': 1 project(s)FileView.\WIN32-Code" /I "..\..\Wpdpack\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Release/p0f.pch" /YX /Fo"Release/" /Fd"Release/" /FD /c "D:\passive\p0f\p0f-query.c" ] Creating command line "cl.exe @D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" Creating command line "link.exe ws2_32.lib ..\..\WPdpack\Lib\wpcap.lib Advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"Release/p0f.pdb" /machine:I386 /out:"Release/p0f.exe" ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling... p0f-query.c Linking...

Results

p0f.exe - 0 error(s), 0 warning(s) ; #define END_DUAL_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define END_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define EXTERN_PROCESS_LOCAL(class_name, ident_name) extern AFX_DATA PROCESS_LOCAL(class_name, ident_name) #define EXT_SNAPINMENUID(id) #define IMPLEMENT_DUAL_ERRORINFO(objectClass, riidSource) #define IMPLEMENT_DYNAMIC(class_name, base_class_name) #define IMPLEMENT_DYNCREATE(class_name, base_class_name) #define IMPLEMENT_OLECREATE(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECREATE_EX(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECTLTYPE(class_name, idsUserTypeName, dwOleMisc) #define IMPLEMENT_OLETYPELIB(class_name, tlid, wVerMajor, wVerMinor) #define IMPLEMENT_SERIAL(class_name, base_class_name, wSchema) #define INIT_INTERFACE_PART(theClass, localClass) #define PROCESS_LOCAL(class_name, ident_name) AFX_DATADEF CProcessLocal ident_name; #define PURE = 0 #define SNAPINMENUID(id) #define THIS void #define THIS_ #define TRLY try { #define CATCH(class_name, e) } catch (class_name * e) { #define AND_CATCH(class_name, e) } catch (class_name * e) { #define END_CATCH } #define CATCH_ALL(e) } catch (CException* e) { #define AND_CATCH_ALL(e) } catch (CException* e) { #define END_CATCH_ALL } #define BEGIN_COLUMN_MAP(x) class __NCB__COLUMN_##x : public COLUMN { #define END_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x,`p0f - Win32 Releasep0f.dspCProjectp0f - Win32 Releasep0f - Win32 Releasep0f - Win32 DebugSSBR CTargetItemp0f - Win32 Releasep0f - Win32 DebugSSBR Source Files CProjGroupSSBRDJW Header Files CProjGroupSSBRDJWResource Files CProjGroupSSBRDJWdepCDependencyContainerSSBRDJWdepCDependencyContainerSSBR pcap-stdinc.hCDependencyFileSSBRtos.hCDependencyFileSSBR basetsd.hCDependencyFileSSBR bittypes.hCDependencyFileSSBRbpf.hCDependencyFileSSBR ip6_misc.hCDependencyFileSSBRpcap.hCDependencyFileSSBRDJWDJWDJW/out:"Release/p0f.exe" ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling... p0f-query.c Linking...

Results

p0f.exe - 0 error(s), 0 warning(s) ; #define END_DUAL_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define END_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define EXTERN_PROCESS_LOCAL(class_name, ident_name) extern AFX_DATA PROCESS_LOCAL(class_name, ident_name) #define EXT_SNAPINMENUID(id) #define IMPLEMENT_DUAL_ERRORINFO(objectClass, riidSource) #define IMPLEMENT_DYNAMIC(class_name, base_class_name) #define IMPLEMENT_DYNCREATE(class_name, base_class_name) #define IMPLEMENT_OLECREATE(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECREATE_EX(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECTLTYPE(class_name, idsUserTypeName, dwOleMisc) #define IMPLEMENT_OLETYPELIB(class_name, tlid, wVerMajor, wVerMinor) #define IMPLEMENT_SERIAL(class_name, base_class_name, wSchema) #define INIT_INTERFACE_PART(theClass, localClass) #define PROCESS_LOCAL(class_name, ident_name) AFX_DATADEF CProcessLocal ident_name; #define PURE = 0 #define SNAPINMENUID(id) #define THIS void #define THIS_ #define TRLY try { #define CATCH(class_name, e) } catch (class_name * e) { #define AND_CATCH(class_name, e) } catch (class_name * e) { #define END_CATCH } #define CATCH_ALL(e) } catch (CException* e) { #define AND_CATCH_ALL(e) } catch (CException* e) { #define END_CATCH_ALL } #define BEGIN_COLUMN_MAP(x) class __NCB__COLUMN_##x : public COLUMN { #define END_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x,`p0frojectp0f - Win32 Releasep0f - Win32 Releasep0f - Win32 DebugSSBR CTargetItemp0f - Win32 Releasep0f - Win32 DebugSSBR Source Files CProjGroupSSBRDJW Header Files CProjGroupSSBRDJWResource Files CProjGroupSSBRDJWdepCDependencyContainerSSBRDJWdepCDependencyContainerSSBR pcap-stdinc.hCDependencyFileSSBRtos.hCDependencyFileSSBR basetsd.hCDependencyFileSSBR bittypes.hCDependencyFileSSBRbpf.hCDependencyFileSSBR ip6_misc.hCDependencyFileSSBRpcap.hCDependencyFileSSBRDJWDJWDJW/out:"Release/p0f.exe" ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling... p0f-query.c Linking...

Results

p0f.exe - 0 error(s), 0 warning(s) ; #define END_DUAL_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define END_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define EXTERN_PROCESS_LOCAL(class_name, ident_name) extern AFX_DATA PROCESS_LOCAL(class_name, ident_name) #define EXT_SNAPINMENUID(id) #define IMPLEMENT_DUAL_ERRORINFO(objectClass, riidSource) #define IMPLEMENT_DYNAMIC(class_name, base_class_name) #define IMPLEMENT_DYNCREATE(class_name, base_class_name) #define IMPLEMENT_OLECREATE(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECREATE_EX(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECTLTYPE(class_name, idsUserTypeName, dwOleMisc) #define IMPLEMENT_OLETYPELIB(class_name, tlid, wVerMajor, wVerMinor) #define IMPLEMENT_SERIAL(class_name, base_class_name, wSchema) #define INIT_INTERFACE_PART(theClass, localClass) #define PROCESS_LOCAL(class_name, ident_name) AFX_DATADEF CProcessLocal ident_name; #define PURE = 0 #define SNAPINMENUID(id) #define THIS void #define THIS_ #define TRLY try { #define CATCH(class_name, e) } catch (class_name * e) { #define AND_CATCH(class_name, e) } catch (class_name * e) { #define END_CATCH } #define CATCH_ALL(e) } catch (CException* e) { #define AND_CATCH_ALL(e) } catch (CException* e) { #define END_CATCH_ALL } #define BEGIN_COLUMN_MAP(x) class __NCB__COLUMN_##x : public COLUMN { #define END_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x, CClsFldSlobp0frojectp0f - Win32 Releasep0f - Win32 Releasep0f - Win32 DebugSSBR CTargetItemp0f - Win32 Releasep0f - Win32 DebugSSBR Source Files CProjGroupSSBRDJW Header Files CProjGroupSSBRDJWResource Files CProjGroupSSBRDJWdepCDependencyContainerSSBRDJWdepCDependencyContainerSSBR pcap-stdinc.hCDependencyFileSSBRtos.hCDependencyFileSSBR basetsd.hCDependencyFileSSBR bittypes.hCDependencyFileSSBRbpf.hCDependencyFileSSBR ip6_misc.hCDependencyFileSSBRpcap.hCDependencyFileSSBRDJWDJWDJW/out:"Release/p0f.exe" ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling... p0f-query.c Linking...

Results

p0f.exe - 0 error(s), 0 warning(s) ; #define END_DUAL_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define END_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define EXTERN_PROCESS_LOCAL(class_name, ident_name) extern AFX_DATA PROCESS_LOCAL(class_name, ident_name) #define EXT_SNAPINMENUID(id) #define IMPLEMENT_DUAL_ERRORINFO(objectClass, riidSource) #define IMPLEMENT_DYNAMIC(class_name, base_class_name) #define IMPLEMENT_DYNCREATE(class_name, base_class_name) #define IMPLEMENT_OLECREATE(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECREATE_EX(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECTLTYPE(class_name, idsUserTypeName, dwOleMisc) #define IMPLEMENT_OLETYPELIB(class_name, tlid, wVerMajor, wVerMinor) #define IMPLEMENT_SERIAL(class_name, base_class_name, wSchema) #define INIT_INTERFACE_PART(theClass, localClass) #define PROCESS_LOCAL(class_name, ident_name) AFX_DATADEF CProcessLocal ident_name; #define PURE = 0 #define SNAPINMENUID(id) #define THIS void #define THIS_ #define TRLY try { #define CATCH(class_name, e) } catch (class_name * e) { #define AND_CATCH(class_name, e) } catch (class_name * e) { #define END_CATCH } #define CATCH_ALL(e) } catch (CException* e) { #define AND_CATCH_ALL(e) } catch (CException* e) { #define END_CATCH_ALL } #define BEGIN_COLUMN_MAP(x) class __NCB__COLUMN_##x : public COLUMN { #define END_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x,Debugger JDocumentsT Watch1Watch2Watch3Watch4p0f - Win32 Releasep0f - Win32 DebugSSBR CTargetItemp0f - Win32 Releasep0f - Win32 DebugSSBR Source Files CProjGroupSSBRDJW Header Files CProjGroupSSBRDJWResource Files CProjGroupSSBRDJWdepCDependencyContainerSSBRDJWdepCDependencyContainerSSBR pcap-stdinc.hCDependencyFileSSBRtos.hCDependencyFileSSBR basetsd.hCDependencyFileSSBR bittypes.hCDependencyFileSSBRbpf.hCDependencyFileSSBR ip6_misc.hCDependencyFileSSBRpcap.hCDependencyFileSSBRDJWDJWDJW/out:"Release/p0f.exe" ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling... p0f-query.c Linking...

Results

p0f.exe - 0 error(s), 0 warning(s) ; #define END_DUAL_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define END_INTERFACE_PART(localClass) } m_x##localClass; friend class X##localClass; #define EXTERN_PROCESS_LOCAL(class_name, ident_name) extern AFX_DATA PROCESS_LOCAL(class_name, ident_name) #define EXT_SNAPINMENUID(id) #define IMPLEMENT_DUAL_ERRORINFO(objectClass, riidSource) #define IMPLEMENT_DYNAMIC(class_name, base_class_name) #define IMPLEMENT_DYNCREATE(class_name, base_class_name) #define IMPLEMENT_OLECREATE(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECREATE_EX(class_name, external_name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) #define IMPLEMENT_OLECTLTYPE(class_name, idsUserTypeName, dwOleMisc) #define IMPLEMENT_OLETYPELIB(class_name, tlid, wVerMajor, wVerMinor) #define IMPLEMENT_SERIAL(class_name, base_class_name, wSchema) #define INIT_INTERFACE_PART(theClass, localClass) #define PROCESS_LOCAL(class_name, ident_name) AFX_DATADEF CProcessLocal ident_name; #define PURE = 0 #define SNAPINMENUID(id) #define THIS void #define THIS_ #define TRLY try { #define CATCH(class_name, e) } catch (class_name * e) { #define AND_CATCH(class_name, e) } catch (class_name * e) { #define END_CATCH } #define CATCH_ALL(e) } catch (CException* e) { #define AND_CATCH_ALL(e) } catch (CException* e) { #define END_CATCH_ALL } #define BEGIN_COLUMN_MAP(x) class __NCB__COLUMN_##x : public COLUMN { #define END_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x, C/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; co/mmD:\passive\p0f\p0f-query.c&{3486698D-49EB-11CF-BF46-00AA004C12E2},..C/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; co$$D:\passive\p0f\test\p0fq.c&{3486698D-49EB-11CF-BF46-00AA004C12E2},EEC/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; coD:\passive\p0f\types.h&{2AE27A3D-17F5-11D0-AF1B-00A0C90F9DE6},\\C/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; co)D:\passive\p0f\tcp.h&{2AE27A3D-17F5-11D0-AF1B-00A0C90F9DE6},ssC/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; co&D:\passive\p0f\mtu.h&{2AE27A3D-17F5-11D0-AF1B-00A0C90F9DE6},C/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; co"D:\passive\p0f\WIN32-Code\getopt.h&{2AE27A3D-17F5-11D0-AF1B-00A0C90F9DE6},C/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; co"D:\passive\p0f\fpentry.h&{2AE27A3D-17F5-11D0-AF1B-00A0C90F9DE6},..C/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; co77D:\passive\p0f\config.h&{2AE27A3D-17F5-11D0-AF1B-00A0C90F9DE6},C/C++hAAPAbbD:\passive\p0f\p0f.c(1122) : warning C4761: integral size mismatch in argument; coU[[d:\passive\p0f\p0f.c&{3486698D-49EB-11CF-BF46-00AA004C12E2},_COLUMN_MAP() }; #define BEGIN_CONTROL_MAP(x) class __NCB__CONTROL_##x : public CONTROL { #define END_CONTROL_MAP() }; #define BEGIN_COM_MAP(x) class __NCB__COM_##x : public COM { #define END_COM_MAP() }; #define BEGIN_CONNECTION_POINT_MAP(x) class __NCB__CONNECTIONPOINT_##x : public CONNECTION_POINT { #define END_CONNECTION_POINT_MAP() }; #define BEGIN_EXTENSION_SNAPIN_NODEINFO_MAP(x) class __NCB__EXTENSIONSNAPINNODEINFO_##x : public EXTENSION_SNAPIN_NODEINFO { #define END_EXTENSION_SNAPIN_NODEINFO_MAP() }; #define BEGIN_FILTER_MAP(x) class __NCB__FILTER_##x : public FILTER { #define END_FILTER_MAP() }; #define BEGIN_MSG_MAP(x) class __NCB__MSG_##x : public MSG { #define END_MSG_MAP() }; #define BEGIN_OBJECT_MAP(x) class __NCB__OBJECT_##x : public OBJECT { #define END_OBJECT_MAP() }; #define BEGIN_PARAM_MAP(x) class __NCB__PARAM_##x : public PARAM { #define END_PARAM_MAP() }; #define BEGIN_PROP_MAP(x) class __NCB__PROP_##x : public PROP { #define END_PROP_MAP() }; #define BEGIN_PROPERTY_MAP(x) class __NCB__PROPERTY_##x : public PROPERTY { #define END_PROPERTY_MAP() }; #define BEGIN_PROPPAGE_MAP(x) class __NCB___PROPPAGE_##x : public PROPPAGE { #define END_PROPPAGE_MAP() }; #define BEGIN_SERVICE_MAP(x) class __NCB__SERVICE_##x : public SERVICE { #define END_SERVICE_MAP() }; #define BEGIN_SINK_MAP(x) class __NCB__SINK_##x : public SINK { #define END_SINK_MAP() }; #define BEGIN_SNAPINTOOLBARID_MAP(x) class __NCB__SNAPINTOOLBARID_##x : public SNAPINTOOLBARID { #define END_SNAPINTOOLBARID_MAP() }; #define BEGIN_UPDATE_UI_MAP(x) class __NCB__UPDATEUI_##x : public UPDATE_UI { #define END_UPDATE_UI_MAP() }; #define BEGIN_ACCESSOR_MAP(x, num) class __NCB__ACCESSOR_##x : pux/5G.. CCESSOR { #define END_ACCESSOR_MAP() }; #define BEGIN_CATEGORY_MAP() class __NCB__CATEGORY_ { #define END_CATEGORY_MAP() }; #define BEGIN_PROPSET_MAP(x) class __NCB__PROPSET_##x : public PROPSET { #define END_PROPSET_MAP( ) }; #define BEGIN_PROVIDER_COLUMN_MAP(x) class __NCB__PROVIDERCOLUMN_##x : public PROVIDER_COLUMN { #define END_PROVIDER_COLUMN_MAP() }; #define BEGIN_SNAPINCOMMAND_MAP(x, bIsExtension) class __NCB__SNAPINCOMMAND_##x : public SNAPINCOMMAND { #define END_SNAPINCOMMAND_MAP() }; #define BEGIN_CONNECTION_MAP(x,y) class __NCB__CONNECTION_##x : public CONNECTION, public y { #define END_CONNECTION_MAP() }; #define BEGIN_DISPATCH_MAP(x,y) class __NCB__DISPATCH_##x : public DISPATCH, public y { #define END_DISPATCH_MAP() }; #define BEGIN_EVENT_MAP(x,y) class __NCB__EVENT_##x : public EVENT, public y { #define END_EVENT_MAP() }; #define BEGIN_EVENTSINK_MAP(x,y) class __NCB__EVENTSINK_##x : public EVENTSINK, public y { #define END_EVENTSINK_MAP() }; #define BEGIN_INTERFACE_MAP(x,ssx/5GINTERFACE_##x : public INTERFACE, public y { #define END_INTERFACE_MAP() }; #define BEGIN_MESSAGE_MAP(x,y) class __NCB__MESSAGE_##x : public MESSAGE, public y { #define END_MESSAGE_MAP() }; #define BEGIN_OLECMD_MAP(x,y) class __NCB__OLECMD_##x : public OLECMD, public y { #define END_OLECMD_MAP() }; #define BEGIN_PARSE_MAP(x,y) class __NCB__PARSE_##x : public PARSE, public y { #define END_PARSE_MAP() }; #pragma acp_assume_type (BOOL) #pragma acp_assume_type (DWORD) #pragma acp_assume_type (UINT) #pragma acp_assume_not_type (TRUE) #pragma acp_assume_not_type (FALSE) #pragma acp_assume_not_type (NULL) #pragma acp_assume_not_defined (DOS) #pragma acp_assume_not_defined (_DOS) #pragma acp_assume_not_defined (WIN16) #pragma acp_assume_not_defined (_WIN16) #pragma acp_assume_not_defined (MAC) #pragma acp_assume_not_defined (_MAC) #pragma acp_assume_not_defined (RC_INVOKED) #pragma acp_assume_not_defined (_POSIX_) #pragma acp_assume_not_defined (__STDC__) #pragma acp_assume_not_defined (NONAMELESSUNION) #prax/DGma acp_assume_not_defined (_M_X86) #pragma acp_assume_not_defined (_M_ALPHA) #pragma acp_assume_not_defined (_M_MRX000) #pragma acp_assume_not_defined (_M_PPC) p0f/WIN32-Prj/p0f.plg0100644000175100017500000000167007740406250013657 0ustar lcamtufusers 
Build Log



--------------------Configuration: p0f - Win32 Release--------------------



Command Lines

Creating temporary file "D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" with contents
[
/nologo /ML /W3 /GX /O2 /I "..\\" /I "..\WIN32-Code" /I "..\..\Wpdpack\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Release/p0f.pch" /YX /Fo"Release/" /Fd"Release/" /FD /c 
"D:\passive\p0f\p0f-query.c"
]
Creating command line "cl.exe @D:\DOCUME~1\kkuehl\LOCALS~1\Temp\RSP49.tmp" 
Creating command line "link.exe ws2_32.lib ..\..\WPdpack\Lib\wpcap.lib Advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"Release/p0f.pdb" /machine:I386 /out:"Release/p0f.exe"  ".\Release\getopt.obj" ".\Release\p0f.obj" ".\Release\p0f-query.obj" "

Output Window

Compiling...
p0f-query.c
Linking...




Results

p0f.exe - 0 error(s), 0 warning(s)
p0f/WIN32-Prj/Release/0040755000175100017500000000000007751533172014053 5ustar lcamtufusersp0f/README0120755000175100017500000000000010466611071013425 2doc/READMEustar lcamtufusersp0f/p0fo.fp0100644000175100017500000000417610471204121012316 0ustar lcamtufusers# # p0f - stray ACK signatures # -------------------------- # # .-------------------------------------------------------------------------. # | The purpose of this file is to cover signatures for stray ACK packets | # | (established session data). This mode of operation is enabled with -O | # | option and is HIGHLY EXPERIMENTAL. Please refer to p0f.fp for more | # | information on the metrics used and for a guide on adding new entries | # | to this file. This database is looking for a caring maintainer. | # `-------------------------------------------------------------------------' # # (C) Copyright 2000-2006 by Michal Zalewski # # Submit all additions to the authors. Read p0f.fp before adding any # signatures. Run p0f -O -C after making any modifications. This file is # NOT compatible with SYN, SYN+ACK or RST+ modes. Use only with -O option. # # IMPORTANT INFORMATION ABOUT THE INTERDEPENDENCY OF SYNs AND ACKs # ---------------------------------------------------------------- # # Some systems would have different ACK fingerprints depending on the initial # SYN or SYN+ACK received from the other party. More specifically, RFC1323, # RFC2018 and RFC1644 extensions sometimes show up only if the other party had # them enabled. Hence, the reliability of ACK fingerprints may be affected. # # IMPORTANT INFORMATION ABOUT DIFFERENCES IN COMPARISON TO p0f.fp: # ---------------------------------------------------------------- # # - Packet size MUST be wildcarded. ACK packets, by their nature, have # variable sizes, depending on the amount of data carried as a payload. # # - Similarly, 'D' quirk is not checked for, and is not allowed in signatures # in this file. A good number of ACK packets have payloads. # # - PUSH flag is excluded from 'F' quirk checks in this mode. # # - 'A' quirk is not a bug; all AC packets should have it set; also, # 'T' quirk is not an anomaly; its absence on systems with T option is. # 32767:64:1:*:N,N,T:AT:Linux:2.4.2x (local?) *:64:1:*:.:A:Linux:2.4.2x 32736:64:0:*:.:A:Linux:2.0.3x 57600:64:1:*:N,N,T:AT:FreeBSD:4.8 %12:128:1:*:.:A:Windows:XP S44:128:1:*:.:A:Windows:XP p0f/crc32.c0100600000175100017500000001011110472316372012172 0ustar lcamtufusers/* p0f - cyclic redundancy check ----------------------------- CRC32 code. Polynomial 0x04c11db7LU. Copyright (C) 2006 by Mariusz Kozlowski */ #include "types.h" static const _u32 crc32table[] = { 0x00000000LU, 0x77073096LU, 0xee0e612cLU, 0x990951baLU, 0x076dc419LU, 0x706af48fLU, 0xe963a535LU, 0x9e6495a3LU, 0x0edb8832LU, 0x79dcb8a4LU, 0xe0d5e91eLU, 0x97d2d988LU, 0x09b64c2bLU, 0x7eb17cbdLU, 0xe7b82d07LU, 0x90bf1d91LU, 0x1db71064LU, 0x6ab020f2LU, 0xf3b97148LU, 0x84be41deLU, 0x1adad47dLU, 0x6ddde4ebLU, 0xf4d4b551LU, 0x83d385c7LU, 0x136c9856LU, 0x646ba8c0LU, 0xfd62f97aLU, 0x8a65c9ecLU, 0x14015c4fLU, 0x63066cd9LU, 0xfa0f3d63LU, 0x8d080df5LU, 0x3b6e20c8LU, 0x4c69105eLU, 0xd56041e4LU, 0xa2677172LU, 0x3c03e4d1LU, 0x4b04d447LU, 0xd20d85fdLU, 0xa50ab56bLU, 0x35b5a8faLU, 0x42b2986cLU, 0xdbbbc9d6LU, 0xacbcf940LU, 0x32d86ce3LU, 0x45df5c75LU, 0xdcd60dcfLU, 0xabd13d59LU, 0x26d930acLU, 0x51de003aLU, 0xc8d75180LU, 0xbfd06116LU, 0x21b4f4b5LU, 0x56b3c423LU, 0xcfba9599LU, 0xb8bda50fLU, 0x2802b89eLU, 0x5f058808LU, 0xc60cd9b2LU, 0xb10be924LU, 0x2f6f7c87LU, 0x58684c11LU, 0xc1611dabLU, 0xb6662d3dLU, 0x76dc4190LU, 0x01db7106LU, 0x98d220bcLU, 0xefd5102aLU, 0x71b18589LU, 0x06b6b51fLU, 0x9fbfe4a5LU, 0xe8b8d433LU, 0x7807c9a2LU, 0x0f00f934LU, 0x9609a88eLU, 0xe10e9818LU, 0x7f6a0dbbLU, 0x086d3d2dLU, 0x91646c97LU, 0xe6635c01LU, 0x6b6b51f4LU, 0x1c6c6162LU, 0x856530d8LU, 0xf262004eLU, 0x6c0695edLU, 0x1b01a57bLU, 0x8208f4c1LU, 0xf50fc457LU, 0x65b0d9c6LU, 0x12b7e950LU, 0x8bbeb8eaLU, 0xfcb9887cLU, 0x62dd1ddfLU, 0x15da2d49LU, 0x8cd37cf3LU, 0xfbd44c65LU, 0x4db26158LU, 0x3ab551ceLU, 0xa3bc0074LU, 0xd4bb30e2LU, 0x4adfa541LU, 0x3dd895d7LU, 0xa4d1c46dLU, 0xd3d6f4fbLU, 0x4369e96aLU, 0x346ed9fcLU, 0xad678846LU, 0xda60b8d0LU, 0x44042d73LU, 0x33031de5LU, 0xaa0a4c5fLU, 0xdd0d7cc9LU, 0x5005713cLU, 0x270241aaLU, 0xbe0b1010LU, 0xc90c2086LU, 0x5768b525LU, 0x206f85b3LU, 0xb966d409LU, 0xce61e49fLU, 0x5edef90eLU, 0x29d9c998LU, 0xb0d09822LU, 0xc7d7a8b4LU, 0x59b33d17LU, 0x2eb40d81LU, 0xb7bd5c3bLU, 0xc0ba6cadLU, 0xedb88320LU, 0x9abfb3b6LU, 0x03b6e20cLU, 0x74b1d29aLU, 0xead54739LU, 0x9dd277afLU, 0x04db2615LU, 0x73dc1683LU, 0xe3630b12LU, 0x94643b84LU, 0x0d6d6a3eLU, 0x7a6a5aa8LU, 0xe40ecf0bLU, 0x9309ff9dLU, 0x0a00ae27LU, 0x7d079eb1LU, 0xf00f9344LU, 0x8708a3d2LU, 0x1e01f268LU, 0x6906c2feLU, 0xf762575dLU, 0x806567cbLU, 0x196c3671LU, 0x6e6b06e7LU, 0xfed41b76LU, 0x89d32be0LU, 0x10da7a5aLU, 0x67dd4accLU, 0xf9b9df6fLU, 0x8ebeeff9LU, 0x17b7be43LU, 0x60b08ed5LU, 0xd6d6a3e8LU, 0xa1d1937eLU, 0x38d8c2c4LU, 0x4fdff252LU, 0xd1bb67f1LU, 0xa6bc5767LU, 0x3fb506ddLU, 0x48b2364bLU, 0xd80d2bdaLU, 0xaf0a1b4cLU, 0x36034af6LU, 0x41047a60LU, 0xdf60efc3LU, 0xa867df55LU, 0x316e8eefLU, 0x4669be79LU, 0xcb61b38cLU, 0xbc66831aLU, 0x256fd2a0LU, 0x5268e236LU, 0xcc0c7795LU, 0xbb0b4703LU, 0x220216b9LU, 0x5505262fLU, 0xc5ba3bbeLU, 0xb2bd0b28LU, 0x2bb45a92LU, 0x5cb36a04LU, 0xc2d7ffa7LU, 0xb5d0cf31LU, 0x2cd99e8bLU, 0x5bdeae1dLU, 0x9b64c2b0LU, 0xec63f226LU, 0x756aa39cLU, 0x026d930aLU, 0x9c0906a9LU, 0xeb0e363fLU, 0x72076785LU, 0x05005713LU, 0x95bf4a82LU, 0xe2b87a14LU, 0x7bb12baeLU, 0x0cb61b38LU, 0x92d28e9bLU, 0xe5d5be0dLU, 0x7cdcefb7LU, 0x0bdbdf21LU, 0x86d3d2d4LU, 0xf1d4e242LU, 0x68ddb3f8LU, 0x1fda836eLU, 0x81be16cdLU, 0xf6b9265bLU, 0x6fb077e1LU, 0x18b74777LU, 0x88085ae6LU, 0xff0f6a70LU, 0x66063bcaLU, 0x11010b5cLU, 0x8f659effLU, 0xf862ae69LU, 0x616bffd3LU, 0x166ccf45LU, 0xa00ae278LU, 0xd70dd2eeLU, 0x4e048354LU, 0x3903b3c2LU, 0xa7672661LU, 0xd06016f7LU, 0x4969474dLU, 0x3e6e77dbLU, 0xaed16a4aLU, 0xd9d65adcLU, 0x40df0b66LU, 0x37d83bf0LU, 0xa9bcae53LU, 0xdebb9ec5LU, 0x47b2cf7fLU, 0x30b5ffe9LU, 0xbdbdf21cLU, 0xcabac28aLU, 0x53b39330LU, 0x24b4a3a6LU, 0xbad03605LU, 0xcdd70693LU, 0x54de5729LU, 0x23d967bfLU, 0xb3667a2eLU, 0xc4614ab8LU, 0x5d681b02LU, 0x2a6f2b94LU, 0xb40bbe37LU, 0xc30c8ea1LU, 0x5a05df1bLU, 0x2d02ef8dLU }; _u32 crc32(_u8 *data, _u32 len) { _u32 crc=0xffffffff; while (len--) crc=(crc>>8)^crc32table[(crc&0xff)^*data++]; return crc^0xffffffff; } p0f/crc32.h0100600000175100017500000000043210472316367012210 0ustar lcamtufusers/* p0f - cyclic redundancy check ----------------------------- CRC32 code. Polynomial 0x04c11db7LU. Copyright (C) 2006 by Mariusz Kozlowski */ #ifndef _HAVE_CRC32_H #define _HAVE_CRC32_H _u32 crc32(_u8 *data, _u32 len); #endif