The p0f command for Kali Linux allows a user to listen in on traffic passing over a wireless network. I am using a Netgear WLAN adapter and I am listening in on an open Access Point. This is the command to use: p0f -i wlan0
this will start the p0f traffic sniffer.
root@kali:~# p0f -i wlan0 --- p0f 3.07b by Michal Zalewski --- [+] Closed 1 file descriptor. [+] Loaded 320 signatures from 'p0f.fp'. [+] Intercepting traffic on interface 'wlan0'. [+] Default packet filtering configured [+VLAN]. [+] Entered main event loop. |
This is a sample capture.
.-[ 10.126.108.45/54170 -> 63.245.216.132/443 (syn) ]- | | client = 10.126.108.45/54170 | os = Linux 3.11 and newer | dist = 0 | params = none | raw_sig = 4:64+0:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 | `---- |
This program is used to identify computers that are connected to and sending information over a wireless network.
Here is a sample that shows that I am using an Iceweasel web browser to connect to the web.
.-[ 10.126.108.45/53285 -> 199.58.85.40/80 (http request) ]- | | client = 10.126.108.45/53285 | app = Firefox 10.x or newer | lang = English | params = none | raw_sig = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],Connection=[keep-alive]:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 | `---- |
Here is how to list all interfaces available for networking.
root@kali:~# p0f -L --- p0f 3.07b by Michal Zalewski --- -- Available interfaces -- 0: Name : eth0 Description : - IP address : 192.168.233.130 1: Name : wlan0 Description : - IP address : 10.126.108.45 2: Name : nflog Description : Linux netfilter log (NFLOG) interface IP address : (none) 3: Name : any Description : Pseudo-device that captures on all interfaces IP address : (none) 4: Name : lo Description : - IP address : 127.0.0.1 |
Execute p0f this way to write all information to wlan.log.
root@kali:~# p0f -i wlan0 -o wlan.log --- p0f 3.07b by Michal Zalewski --- [+] Closed 1 file descriptor. [+] Loaded 320 signatures from 'p0f.fp'. [+] Intercepting traffic on interface 'wlan0'. [+] Default packet filtering configured [+VLAN]. [+] Log file 'wlan.log' opened for writing. [+] Entered main event loop. |
More information on the website: http://lcamtuf.coredump.cx/p0f3/. Give this a try yourself, this is a lot of fun to try.