Say you want to find out what machines exist on your network.
Several tools can do this by actively sending out queries on the network.
The problem with this technique is that you end up creating traffic on the network,
which may be noticed by a good network administrator.
A way around this is to use the tool p0f.
This utility uses passive techniques to try to guess what machines exist on the
network and properties about those machines.
- choose the interface
p0f -i eth0
- If you have a tcpdump file that you created earlier, can use it with p0f rather using live capture
p0f -s tcpdump.file
- record network traffic into a tcpdump file
p0f -w dump.file
- If you're using p0f in a script, use the -o file option to dump the output into a text file
p0f -o dump.file
- By default, p0f sees machines only when they open new connections. You can try to guess what's going on with already-opened connections with the -O option. This option can generate a lot of data, so you probably won't want to use it for an extended period of time.
- find out machines behind NAT (masquerade-detection)