p0f
p0f is a passive OS fingerprinting tool that identifies operating systems and network characteristics of remote systems by analyzing network traffic without active probing. It determines system types, versions, and details through observation of TCP/IP stack implementation quirks and timing patterns.
Installation
Section titled “Installation”Linux Installation
Section titled “Linux Installation”# Debian/Ubuntu
sudo apt-get install p0f
# Fedora/RHEL
sudo dnf install p0f
# Arch Linux
sudo pacman -S p0f
# From source
git clone https://github.com/lcamtuf/p0f.git
cd p0f
./build.sh
sudo ./install.shmacOS Installation
Section titled “macOS Installation”# Using Homebrew
brew install p0f
# From source
git clone https://github.com/lcamtuf/p0f.git
cd p0f
./build.sh
sudo ./install.shVerify Installation
Section titled “Verify Installation”p0f -V
p0f --help
which p0fCore Concepts
Section titled “Core Concepts”Fingerprinting Methods
Section titled “Fingerprinting Methods”- TCP SYN packet analysis: Window size, flags, MSS, TTL patterns
- HTTP request analysis: User-agent strings, header order, implementation details
- ICMP probe response: TTL, DF bit, payload handling
- TCP RST/FIN patterns: Response timing and sequencing
- MTU/window scaling detection: Network configuration inference
Information Gathered
Section titled “Information Gathered”- Operating system family and version
- Network appliances and firewalls
- Browser identification
- Network topology hints
- System uptime estimation
Basic Operation
Section titled “Basic Operation”Simple Passive Monitoring
Section titled “Simple Passive Monitoring”# Monitor on default interface
p0f
# Monitor specific interface
p0f -i eth0
# List available interfaces
p0f -i ?Monitoring with Output
Section titled “Monitoring with Output”# Monitor and save results
p0f -i eth0 -o p0f_results.txt
# Monitor with detailed output
p0f -i eth0 -d
# Monitor on multiple interfaces
p0f -i eth0 & p0f -i wlan0 &Background Operation
Section titled “Background Operation”# Run as daemon
p0f -i eth0 -o p0f_results.txt &
# Detached with nohup
nohup p0f -i eth0 -o p0f_results.txt > /dev/null 2>&1 &
# Query running daemon
p0fqTraffic Analysis
Section titled “Traffic Analysis”Analyze Specific Hosts
Section titled “Analyze Specific Hosts”# Monitor specific source IP
p0f -i eth0 -o results.txt 'src 192.168.1.100'
# Monitor specific destination
p0f -i eth0 'dst 10.0.0.0/8'
# Monitor subnet
p0f -i eth0 'src 192.168.1.0/24'Filter by Protocol
Section titled “Filter by Protocol”# TCP traffic only
p0f -i eth0 'tcp'
# UDP traffic analysis
p0f -i eth0 'udp'
# ICMP echo requests
p0f -i eth0 'icmp[icmptype] == icmp-echo'Advanced Filtering
Section titled “Advanced Filtering”# TCP SYN packets only
p0f -i eth0 'tcp[tcpflags] & tcp-syn == tcp-syn'
# Monitor specific port
p0f -i eth0 'dst port 80'
# Monitor port range
p0f -i eth0 'dst portrange 1024-65535'
# Complex filter
p0f -i eth0 '(tcp dst port 80 or tcp dst port 443) and src 10.0.0.0/8'Fingerprint Database
Section titled “Fingerprint Database”View Fingerprints
Section titled “View Fingerprints”# Show all known fingerprints
p0f -D
# List by OS category
p0f -D | grep -i "linux"
# Count fingerprints
p0f -D | wc -lUpdate Fingerprint Database
Section titled “Update Fingerprint Database”# Check current database
p0f -D | head -20
# Download latest fingerprints
cd /etc/p0f
git clone https://github.com/lcamtuf/p0f.git
cp p0f/p0f.fp .
# Reload with custom database
p0f -F custom_fingerprints.fp -i eth0Custom Fingerprints
Section titled “Custom Fingerprints”# Load custom fingerprint file
p0f -F my_fingerprints.fp -i eth0
# Multiple databases
p0f -F db1.fp -F db2.fp -i eth0
# Create custom entry format:
# [class] label = OS details
# s = SYN packet
# syn = SYN+ACK responseOutput Modes
Section titled “Output Modes”Standard Output
Section titled “Standard Output”# Verbose mode
p0f -v -i eth0
# Very verbose
p0f -vv -i eth0
# Quiet mode (minimal output)
p0f -q -i eth0File Output
Section titled “File Output”# Write to file
p0f -i eth0 -o analysis.txt
# Append to file
p0f -i eth0 -o analysis.txt -a
# CSV-style output
p0f -i eth0 -o analysis.csv
# Continuous append mode
p0f -i eth0 -o results.log -uJSON Output
Section titled “JSON Output”# JSON formatted output
p0f -i eth0 -o results.json
# Pretty JSON
p0f -i eth0 -o results.json -jDatabase-Driven Analysis
Section titled “Database-Driven Analysis”Query Running Instance
Section titled “Query Running Instance”# Query p0f daemon
p0fq
# Query specific host from database
p0fq -Q 192.168.1.100
# List all known hosts
p0fq -l
# Show statistics
p0fq -sDatabase Management
Section titled “Database Management”# Use custom database file
p0f -s /tmp/p0f.sock -i eth0
# Query custom socket
p0fq -Q 192.168.1.100 -s /tmp/p0f.sock
# Export database
p0fq -d > p0f_database.txtPcap File Analysis
Section titled “Pcap File Analysis”Analyze Packet Captures
Section titled “Analyze Packet Captures”# Read pcap file
p0f -r capture.pcap
# Process multiple files
p0f -r capture1.pcap -r capture2.pcap
# Output to file
p0f -r capture.pcap -o fingerprints.txtGenerate Pcap Files
Section titled “Generate Pcap Files”# Capture traffic for later analysis
tcpdump -i eth0 -w traffic.pcap
# Filter and save
tcpdump -i eth0 -w filtered.pcap 'tcp[tcpflags] & tcp-syn == tcp-syn'
# Analyze captured data
p0f -r filtered.pcap -vBatch Processing
Section titled “Batch Processing”# Process pcap directory
for file in *.pcap; do
p0f -r "$file" -o "results_${file%.pcap}.txt"
done
# Process and combine
p0f -r *.pcap -o combined_results.txtNetwork Reconnaissance
Section titled “Network Reconnaissance”Map Network Segment
Section titled “Map Network Segment”# Monitor entire subnet passively
p0f -i eth0 'src 192.168.0.0/24' -o network_map.txt
# Detailed network profiling
p0f -i eth0 -vv 'src 10.0.0.0/8' -o detailed_scan.txt
# Long-term monitoring
nohup p0f -i eth0 'src 172.16.0.0/12' -o network_profile.txt &Detect Network Appliances
Section titled “Detect Network Appliances”# Identify firewalls and NAT
p0f -i eth0 -v | grep -i 'firewall\|appliance\|gateway'
# Find load balancers
p0f -i eth0 -v | grep -i 'load.balancer'
# Detect proxies
p0f -i eth0 -v | grep -i 'proxy'Map Internal Network
Section titled “Map Internal Network”# Passive network topology
p0f -i eth0 'src 10.0.0.0/8' -o topology.txt
# Analyze responses from internal systems
cat topology.txt | sort | uniq
# Identify system versions
grep -i "windows\|linux\|macos" topology.txt | wc -lBrowser and Client Identification
Section titled “Browser and Client Identification”Detect HTTP Clients
Section titled “Detect HTTP Clients”# Monitor HTTP traffic
p0f -i eth0 'tcp dst port 80'
# Identify browsers
p0f -i eth0 -v 'tcp dst port 80' | grep -i 'browser\|chrome\|firefox'
# User-agent analysis
p0f -i eth0 'tcp dst port 80' -o http_clients.txtApplication Fingerprinting
Section titled “Application Fingerprinting”# Identify mobile devices
p0f -i eth0 -v | grep -i 'iphone\|android\|mobile'
# Detect specific software
p0f -i eth0 -v | grep -E 'apache|nginx|iis'
# Version detection
p0f -i eth0 -v | grep -oP '(version|v)[0-9.]+'Advanced Analysis
Section titled “Advanced Analysis”Timing-Based Analysis
Section titled “Timing-Based Analysis”# Monitor TCP timing patterns
p0f -i eth0 -vv -o timing_analysis.txt
# Analyze TTL patterns
p0f -i eth0 -v | grep -i ttl
# Window size analysis
p0f -i eth0 -v | grep -i windowStatistical Analysis
Section titled “Statistical Analysis”# Fingerprint distribution
p0f -i eth0 -o stats.txt &
sleep 3600 # Run for 1 hour
# Analyze results
sort stats.txt | uniq -c | sort -rn
# Count by OS
grep -oP '(?<=: )[^ ]+' stats.txt | sort | uniq -cContinuous Monitoring
Section titled “Continuous Monitoring”# Long-term network profiling
p0f -i eth0 -u -o network_profile.log
# Monitor for changes
watch -n 60 'tail -20 network_profile.log'
# Alert on new OS detected
while IFS= read -r line; do
if ! grep -q "$line" previous.log; then
echo "New system: $line" | mail -s "p0f Alert" admin@example.com
fi
done < network_profile.logIntegration and Automation
Section titled “Integration and Automation”Log Analysis
Section titled “Log Analysis”# Extract unique systems
p0f -i eth0 -o results.txt &
sleep 300
sort results.txt | uniq > unique_systems.txt
# Combine with IDS alerts
cat p0f_results.txt snort_alerts.txt > combined_intelligence.txtCorrelation with Other Tools
Section titled “Correlation with Other Tools”# Combine with nmap
nmap -sn 192.168.1.0/24 > nmap_results.txt
p0f -i eth0 'src 192.168.1.0/24' > p0f_results.txt
# Cross-reference findings
diff <(cut -d: -f1 nmap_results.txt | sort) \
<(cut -d' ' -f1 p0f_results.txt | sort)Alert Generation
Section titled “Alert Generation”# Monitor for specific OS
p0f -i eth0 'src 192.168.1.0/24' |
grep -i "windows xp" && \
echo "Legacy OS detected!" | mail -s "Alert" admin@example.com
# Alert on anomalies
p0f -i eth0 -u -o current.log
diff baseline.log current.log | mail -s "Network Changes" admin@example.comPerformance Optimization
Section titled “Performance Optimization”Resource Management
Section titled “Resource Management”# Monitor resource usage
p0f -i eth0 &
ps aux | grep p0f
# Limit to high-priority traffic
p0f -i eth0 'tcp port 80 or tcp port 443 or tcp port 22'
# Reduce verbosity for lower overhead
p0f -q -i eth0 -o results.txtHigh-Performance Monitoring
Section titled “High-Performance Monitoring”# Use packet memory limit
p0f -m 100000 -i eth0
# Bond multiple interfaces
p0f -i eth0 -i eth1 -i eth2 -o combined.txt
# Background operation with low priority
nice -n 19 p0f -i eth0 -o results.txt &Troubleshooting
Section titled “Troubleshooting”Connection Issues
Section titled “Connection Issues”# Check interface status
p0f -i ?
# Verify permissions
sudo p0f -i eth0
# Test with pcap file
p0f -r sample.pcapNo Results
Section titled “No Results”# Increase verbosity
p0f -vv -i eth0
# Check for packet loss
p0f -i eth0 | head -20
# Verify filters
p0f -i eth0 'tcp' -vDatabase Problems
Section titled “Database Problems”# Check fingerprint file
ls -la /etc/p0f/
# Verify database syntax
p0f -D | head -20
# Use built-in database only
p0f -F /usr/share/p0f/p0f.fp -i eth0Best Practices
Section titled “Best Practices”Pre-Assessment Setup
Section titled “Pre-Assessment Setup”- Obtain authorization for network monitoring
- Document baseline system configurations
- Establish monitoring scope and duration
- Configure appropriate filters
- Verify target interface accessibility
Monitoring Strategy
Section titled “Monitoring Strategy”# Standard monitoring setup
sudo p0f -i eth0 \
-o p0f_$(date +%Y%m%d_%H%M%S).log \
-u \
-v
# Background daemon
sudo nohup p0f -i eth0 \
-o p0f_monitoring.log \
-s /tmp/p0f.sock \
> /dev/null 2>&1 &Data Management
Section titled “Data Management”# Organize results by date
mkdir -p p0f_results/$(date +%Y/%m/%d)
# Archive results
tar -czf p0f_$(date +%Y%m%d).tar.gz p0f_results/
# Rotate logs
find p0f_results/ -mtime +30 -exec gzip {} \;Legal and Ethical Considerations
Section titled “Legal and Ethical Considerations”p0f should only be used:
- On networks you own or have authorization to monitor
- For authorized security assessments
- In compliance with applicable laws
- Respecting privacy and data protection regulations
- With proper documentation and logging
Always maintain:
- Written authorization documentation
- Detailed activity logs
- Clear scope definition
- Professional ethical standards
- Confidentiality of findings
Resources
Section titled “Resources”- Official GitHub: https://github.com/lcamtuf/p0f
- p0f documentation
- TCP/IP stack fingerprinting theory
- Network traffic analysis guides
- Passive reconnaissance methodology