p0f, Got Packets?
p0f has been discussed from time to time in our diary posts [1],[2] and I thought it good to bring that tool up again. There is a fully updated version [3] that has some additional features and seems to be maintained again (hoooray!). In that, there are some great things we can re-visit with the new and improved tool.
In the interest of the 'power' of sharing, to the "Inter-Tubes" for data. "Data, Data, Data" .... Here at the Internet Storm Center we have a saying "Got Packets?" well, in the interest of giving back check out http://www.netresec.com/?page=PcapFiles as a jumping off point for GiGs and GiGs worth of packets. Your mileage on the links may vary as some pcaps are no longer available. Be careful as always, some of that stuff may hurt :)
Checking what version is loaded, 3.06b and to the command line "Batman", let us first take a look at some simple protocol traffic. Mine is a capture from a ... location ... *hint_35K_feet*. If you want to take a look at other PCAPS that can be run through the tool for output check out references [4], [5], [6] (And I am sure there are others out there, please add in the comments).
We run p0f -r ./and some results. Lets go over the normal stuff, then get to the good stuff.
.png)
If you notice in Figure 1., we see that we can tell a lot about this host, up-time, FREQ of the host, probably a Wifi, iType Device, likely a MacBook Pro (I have the inside scoop on that, it's me :).
.png)
For the more interesting part, we have to scroll back up a bit and we find?
According to the readme found at http://lcamtuf.coredump.cx/p0f3/README this is available via API. Just another tool in the belt of the analyst.
For fun, I downloaded a CTF PCAP from ICTF and ran it to see what p0f could find.
[8]
References:
[1] https://isc.sans.edu/forums/diary/p0f+spam+detection+and+OOF+e-mails/2912
[2] https://isc.sans.edu/diary/Passive+Scanning+Two+Ways+-+How-Tos+for+the+Holidays/17246
[3] http://lcamtuf.coredump.cx/p0f3/
[4] http://www.netresec.com/?page=PcapFiles
[5] https://www.defcon.org/html/links/dc-torrent.html
[6] http://terasaur.org/item/downloads/computer-forensics-2009-m57-scenario/187
[7] https://www.evilfingers.com/repository/pcaps.php
[8] https://ictf.cs.ucsb.edu/data/ictf2009/
Richard Porter
--- ISC Handler on Duty
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago