fp - the shoki passive fingerprinter
fp [-c max_count] [-C conf_file] [-D chrdir] [-E stop] [-f] [-h] [-L logfname] [-r dumpfile] [-s snaplen] [-S start] [-U luser] [-v verbose] [bpf_filter]
fp reads in a pcap dumpfile and attempts to determine via passive fingerprinting the host OS of each source IP in the dumpfile. Output consists of a list of IP addresses, the matching fingerprints, a percentage of matched packets, and potentially additional information. For example:SYN: 10.1.2.3 : Linux 2.4/2.6 (uptime 94 hours) (distance 3 hops) (50%) ACK: 18.104.22.168 : Windows XP SP1 (distance 16 hops) (100%) SYN: 172.16.3.4 : Linux 2.2 (1) (uptime 406 hours) (distance 13 hops) (100%)
In the above: half of the packets from 10.1.2.3 matched the Linux 2.4/2.6 SYN signature, and this host is apparrently 3 hops away and has been up about 94 hours; all of the packets from 22.214.171.124 matched the Windows XP SP1 SYN-ACK signature, and this host is apparently 16 hops away; all of the packets from 172.16.3.4 matched the Linux 2.2(1) SYN signature, and this host is apparently 13 hops away and has been up for 406 hours.
fp reads dumpfiles using zlib(3), so it can read gzip'd dumpfiles.
-c max_count -c max_count Only read max_count packets. -C conf_file Read an alternate config file. By default, /usr/local/shoki/etc/fp.conf will be used. -D chrdir If specified, will do a chroot(3) to chrdir -E start Only look at packets with timestamps on or before start. A value of seconds after the start of the epoch is assumed.
See also -S .
-f Attempt fragment reassembly.
Consult the README and/or the source for more information about how frag reassembly works.
-h Display a usage message and exit. -L logfile For filter methods that support logging to a file, output will be sent to logfile. Use `-' (without the quotes) for stdout. -r dumpfile Read packets from dumpfile. The specified file must be a libpcap-style dumpfile. It may be gzipd. -s snaplen Sets the default snaplen. If not specified, 65535 is assumed.
Individual filter rules can specify a different snaplenfor packets matching that filter.
-S start Only packets with timestamps on or after start will be used. A value of seconds after the start of the epoch is assumed.
See also -E .
-U luser If specified, setuid/setgid to specified luser. -v verbosity Set the verbosity level to verbosity. If this is nonzero, then source IP addresses whose traffic matched no fingerprints will also be printed.
/usr/local/shoki/etc/fp.conf fp config file.
.An Stephen P. Berry <email@example.com>
The methods used by the fp widget are taken directly from p0f(1) by Michal Zalewski.
More information can be found at the shoki homepage:
Check the README at the top of the source tree.
|November 6, 2003||FP (1)||shoki|