p0f

package

v0.0.0-...-75e3e40 Latest Latest Go to latest Published: Jun 20, 2018 License: GPL-3.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/jcrussell/discovery

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type Packet
type TCPSignature
- func ParseTCPSignature(label, s string) (*TCPSignature, error)
- func (sig *TCPSignature) Match(p Packet, fuzzy *bool) bool
type TCPSyn
- func NewTCPSyn(p Packet) TCPSyn

Constants ¶

View Source

const (
	MinTCP4 = 40 // Minimum size of IPv4 header + TCP header
	MinTCP6 = 60 // Minimum size of IPv6 header + TCP header
)

View Source

const (
	WSizeTypeAny int = iota
	WSizeTypeNormal
	WSizeTypeMod
	WSizeTypeMSS
	WSizeTypeMTU
)

Different ways that the WSize field can be interpreted

View Source

const (
	TCPQuirkECN        int = 1 << iota // ECN supported
	TCPQuirkDF                         // DF used (probably PMTUD); ignored for IPv6
	TCPQuirkNZID                       // Non-zero IDs when DF set; ignored for IPv6
	TCPQuirkZeroID                     // Zero IDs when DF not set; ignored for IPv6
	TCPQuirkNZMBZ                      // IP "must be zero" field isn't; ignored for IPv6
	TCPQuirkFlow                       // IPv6 flows used; ignored for IPv4
	TCPQuirkZeroSEQ                    // SEQ is zero
	TCPQuirkNZACK                      // ACK non-zero when ACK flag not set
	TCPQuirkZeroACK                    // ACK is zero when ACK flag set
	TCPQuirkNZURG                      // URG non-zero when URG flag not set
	TCPQuirkURG                        // URG flag set
	TCPQuirkPUSH                       // PUSH flag on a control packet
	TCPQuirkOptZeroTS1                 // Own timestamp set to zero
	TCPQuirkOptNZTS2                   // Peer timestamp non-zero on SYN
	TCPQuirkOptEOLNZ                   // Non-zero padding past EOL
	TCPQuirkOptEXWS                    // Excessive window scaling
	TCPQuirkOptBAD                     // Problem parsing TCP options
)

Variables ¶

View Source

var TCPOpts = map[string]uint8{
	"nop":  layers.TCPOptionKindNop,
	"mss":  layers.TCPOptionKindMSS,
	"ws":   layers.TCPOptionKindWindowScale,
	"sok":  layers.TCPOptionKindSACKPermitted,
	"sack": layers.TCPOptionKindSACK,
	"ts":   layers.TCPOptionKindTimestamps,
}

For parsing list of options from the fingerprint file

View Source

var TCPQuirks = map[string]int{
	"df":     TCPQuirkDF,
	"id+":    TCPQuirkNZID,
	"id-":    TCPQuirkZeroID,
	"ecn":    TCPQuirkECN,
	"0+":     TCPQuirkNZMBZ,
	"flow":   TCPQuirkFlow,
	"seq-":   TCPQuirkZeroSEQ,
	"ack+":   TCPQuirkNZACK,
	"ack-":   TCPQuirkZeroACK,
	"uptr+":  TCPQuirkNZURG,
	"urgf+":  TCPQuirkURG,
	"pushf+": TCPQuirkPUSH,
	"ts1-":   TCPQuirkOptZeroTS1,
	"ts2+":   TCPQuirkOptNZTS2,
	"opt+":   TCPQuirkOptEOLNZ,
	"exws":   TCPQuirkOptEXWS,
	"bad":    TCPQuirkOptBAD,
}

For parsing list of quirks from the fingerprint file

Functions ¶

This section is empty.

Types ¶

type Packet ¶

type Packet interface {
	IP() gopacket.Layer

	TCP() *layers.TCP
}

type TCPSignature ¶

type TCPSignature struct {
	Label string // type:class:name:flavor
	Raw   string // raw signature that this was parsed from

	Version      *int    // IPv4 or IPv6, (nil => any)
	ITTL         uint8   // initial TTL
	OptLen       uint8   // length of IPv4 options or IPv6 extension headers
	MSS          *uint16 // maximum segment size, (nil => any)
	WSizeType    int     // tells how to use the WSize field
	WSize        uint16  // window size
	WScale       *uint8  // window scaling factor, (nil => any)
	OptLayout    []uint8 // ordering of TCP options, if any
	Quirks       int     // quirks in IP or TCP headers
	PayloadClass int     // payload size classification

	EOLPad int // number of bytes after EOL to 32 byte padding
	// contains filtered or unexported fields
}

Parsed representation of a TCP fingerprint. See ParseTCPSignature.

func ParseTCPSignature ¶

func ParseTCPSignature(label, s string) (*TCPSignature, error)

ParseTCPSignature parses the p0f TCP signature format:

ver:ittl:olen:mss:wsize,scale:olayout:quirks:pclass

func (*TCPSignature) Match ¶

func (sig *TCPSignature) Match(p Packet, fuzzy *bool) bool

Match the TCP packet against sig. Matches might be fuzzy, if the quirks don't match exactly. This returned through the fuzzy parameter.

type TCPSyn ¶

type TCPSyn struct {
	HeaderLen uint16

	Quirks       int
	MSS          uint16
	WScale       uint8
	TS1, TS2     uint32
	PayloadClass int
}

TCPSyn stores information required for matching a TCP SYN or SYN+ACK against a TCPSignature. Built from State using NewTCPSyn.

func NewTCPSyn ¶

func NewTCPSyn(p Packet) TCPSyn

Compute the TCPSyn summary info from State.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL