search

ValdikSS / p0f-mtu

p0f with patches to save MTU value and export it via API (for VPN detection)
https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413
223 stars 63 forks source link

Need help to use p0f #1

Closed lucas1 closed 7 years ago

lucas1 commented 7 years ago

run p0f: $ ./p0f -s socket --- p0f 3.09b by Michal Zalewski lcamtuf@coredump.cx ---

[+] Closed 1 file descriptor. [+] Loaded 366 signatures from 'p0f.fp'. [+] Intercepting traffic on default interface 'eth0'. [+] Default packet filtering configured [+VLAN]. [+] Listening on API socket 'socket' (max 20 clients). [+] Entered main event loop.

run p0f-client: $ ./p0f-client ../socket 172.68.27.17 First seen = 2017/03/30 08:57:09 Last update = 2017/03/30 08:57:09 Total flows = 2 Detected OS = Linux 2.2.x-3.x (no timestamps) [generic] HTTP software = ??? MTU = 1500 Network link = Ethernet or modem Language = Portuguese Distance = 10 Sys change = 2017/03/30 08:57:10

The informations are wrong, someone can help me?

ValdikSS commented 7 years ago

What exactly is wrong?

lucas1 commented 7 years ago

when I access your website http://witch.valdikss.org.ru my informations is: First seen = 2017/03/30 10:05:50 Last update = 2017/03/30 10:05:50 Total flows = 2 Detected OS = Linux 3.11 and newer HTTP software = Chrome 51.x or newer (ID seems legit) MTU = 1408 Network link = OpenVPN UDP bs64 SHA1 lzo Language = Portuguese Distance = 14 Uptime = 0 days 1 hrs 23 min (modulo 198 days)

ValdikSS commented 7 years ago

So what in your opinion is wrong with that information? It looks correct. Are you confused because it's different? You probably check wrong IP address then.

lucas1 commented 7 years ago

Hi, sorry per delay.

When I execute client without access page: ./p0f-client ../socket 170.233.61.176 No matching host in p0f cache. That's all we know.

But when I execute client with access page: $ ./p0f-client ../socket 172.68.27.17 First seen = 2017/04/03 05:19:39 Last update = 2017/04/03 05:19:39 Total flows = 1 Detected OS = Linux 2.2.x-3.x (no timestamps) [generic] HTTP software = ??? MTU = 1500 Network link = Ethernet or modem Language = Portuguese Distance = 10 Sys change = 2017/04/03 05:19:39

lucas1 commented 7 years ago

See log: [2017/04/03 05:24:01] mod=mtu|cli=172.68.27.17/14906|srv=127.0.0.1/80|subj=cli|link=Ethernet or modem|raw_mtu=1500 [2017/04/03 05:24:01] mod=syn+ack|cli=172.68.27.17/14906|srv=127.0.0.1/80|subj=srv|os=Linux 3.x|dist=0|params=none|raw_sig=4:64+0:0:1460:mss10,7:mss,nop,nop,sok,nop,ws:df:0 [2017/04/03 05:24:01] mod=mtu|cli=172.68.27.17/14906|srv=127.0.0.1/80|subj=srv|link=Ethernet or modem|raw_mtu=1500 [2017/04/03 05:24:01] mod=http request|cli=172.68.27.17/14906|srv=127.0.0.1/80|subj=cli|app=???|lang=Portuguese|params=none|raw_sig=1:Host,Connection=[Keep-Alive],Accept-Encoding=[gzip],CF-IPCountry=[BR],?X-Forwarded-For,CF-RAY=[3498ef9822264bd5-GRU],X-Forwarded-Proto=[http],CF-Visitor=[{"scheme":"http"}],?Cache-Control,Upgrade-Insecure-Requests=[1],User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8],Accept-Language=[pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4,es;q=0.2,nl;q=0.2,pt-PT;q=0.2,und;q=0.2],?Cookie,CF-Connecting-IP=[170.233.61.176]:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 [2017/04/03 05:24:01] mod=host change|cli=172.68.27.17/14906|srv=127.0.0.1/80|subj=cli|reason=via|raw_hits=1,1,1,1

ValdikSS commented 7 years ago

It won't work behind cloudflare.

lucas1 commented 7 years ago

Yes, I'm using VPS too

lucas1 commented 7 years ago

I will install in other server. Thanks.

lucas1 commented 7 years ago

work, thanks :+1: