scapy.modules.p0f
Clone of p0f v3 passive OS fingerprinting
- class scapy.modules.p0f.HTTP_Signature(http_ver, hdr, hdr_set, habsent, sw)[source]
Bases:
object- classmethod from_packet(pkt)[source]
Receives an HTTP packet (assuming it’s valid), and returns a HTTP_Signature object
- classmethod from_raw_sig(sig_line)[source]
Parses an HTTP sig line and returns a HTTP_Signature object
- habsent
- hdr
- hdr_set
- http_ver
- sw
- class scapy.modules.p0f.TCP_Record(label_id, sig_line)[source]
Bases:
object- bad_ttl
- label_id
- sig
- class scapy.modules.p0f.TCP_Signature(olayout, quirks, ip_opt_len, ip_ver, ttl, mss, win, win_type, wscale, pay_class, ts1)[source]
Bases:
object- classmethod from_packet(pkt)[source]
Receives a TCP packet (assuming it’s valid), and returns a TCP_Signature object
- classmethod from_raw_sig(sig_line)[source]
Parses a TCP sig line and returns a tuple consisting of a TCP_Signature object and bad_ttl as bool
- ip_opt_len
- ip_ver
- mss
- olayout
- pay_class
- quirks
- ts1
- ttl
- win
- win_type
- wscale
- scapy.modules.p0f.detect_win_multi(ts)[source]
Figure out if window size is a multiplier of MSS or MTU. Receives a TCP signature and returns the multiplier and whether mtu should be used
- scapy.modules.p0f.fingerprint_mtu(pkt)[source]
Fingerprints the MTU based on the maximum segment size specified in TCP options. If a match was found, returns the label. If not returns None
- class scapy.modules.p0f.p0fKnowledgeBase(filename: Any | None)[source]
Bases:
KnowledgeBaseself.base = { "mtu" (str): [sig(tuple), ...] "tcp"/"http" (str): { direction (str): [sig(tuple), ...] } } self.labels = (label(tuple), ...)
- get_sigs_by_os(direction, osgenre, osdetails=None)[source]
Get TCP signatures that match an OS genre and details (if specified). If osdetails isn’t specified, then we pick all signatures that match osgenre.
Examples
>>> p0fdb.get_sigs_by_os("request", "Linux", "2.6") >>> p0fdb.get_sigs_by_os("response", "Windows", "8") >>> p0fdb.get_sigs_by_os("request", "FreeBSD")
- http_find_match(ts, direction)[source]
Finds the best match for the given signature and direction. If a match is found, returns a tuple consisting of: - label: the matched label - dishonest: whether the software was detected as dishonest Returns None if no match was found
- scapy.modules.p0f.p0f_impersonate(pkt, osgenre=None, osdetails=None, signature=None, extrahops=0, mtu=1500, uptime=None)[source]
Modifies pkt so that p0f will think it has been sent by a specific OS. Either osgenre or signature is required to impersonate. If signature is specified (as a raw string), we use the signature. signature format:
"ip_ver:ttl:ip_opt_len:mss:window,wscale:opt_layout:quirks:pay_class"If osgenre is specified, we randomly pick a signature with a label that matches osgenre (and osdetails, if specified). Note: osgenre is case sensitive (“linux” -> “Linux” etc.), and osdetails is a substring of a label flavor (“7”, “8” and “7 or 8” will all match the label “s:win:Windows:7 or 8”)
For now, only TCP SYN/SYN+ACK packets are supported.