p0f
p0f is a passive OS fingerprinting tool that identifies operating systems and network characteristics of remote systems by analyzing network traffic without active probing. It determines system types, versions, and details through observation of TCP/IP stack implementation quirks and timing patterns.
Installation
Seção intitulada “Installation”Linux Installation
Seção intitulada “Linux Installation”# Debian/Ubuntu
sudo apt-get install p0f
# Fedora/RHEL
sudo dnf install p0f
# Arch Linux
sudo pacman -S p0f
# From source
git clone https://github.com/lcamtuf/p0f.git
cd p0f
./build.sh
sudo ./install.shmacOS Installation
Seção intitulada “macOS Installation”# Using Homebrew
brew install p0f
# From source
git clone https://github.com/lcamtuf/p0f.git
cd p0f
./build.sh
sudo ./install.shVerify Installation
Seção intitulada “Verify Installation”p0f -V
p0f --help
which p0fCore Concepts
Seção intitulada “Core Concepts”Fingerprinting Methods
Seção intitulada “Fingerprinting Methods”- TCP SYN packet analysis: Window size, flags, MSS, TTL patterns
- HTTP request analysis: User-agent strings, header order, implementation details
- ICMP probe response: TTL, DF bit, payload handling
- TCP RST/FIN patterns: Response timing and sequencing
- MTU/window scaling detection: Network configuration inference
Information Gathered
Seção intitulada “Information Gathered”- Operating system family and version
- Network appliances and firewalls
- Browser identification
- Network topology hints
- System uptime estimation
Basic Operation
Seção intitulada “Basic Operation”Simple Passive Monitoring
Seção intitulada “Simple Passive Monitoring”# Monitor on default interface
p0f
# Monitor specific interface
p0f -i eth0
# List available interfaces
p0f -i ?Monitoring with Output
Seção intitulada “Monitoring with Output”# Monitor and save results
p0f -i eth0 -o p0f_results.txt
# Monitor with detailed output
p0f -i eth0 -d
# Monitor on multiple interfaces
p0f -i eth0 & p0f -i wlan0 &Background Operation
Seção intitulada “Background Operation”# Run as daemon
p0f -i eth0 -o p0f_results.txt &
# Detached with nohup
nohup p0f -i eth0 -o p0f_results.txt > /dev/null 2>&1 &
# Query running daemon
p0fqTraffic Analysis
Seção intitulada “Traffic Analysis”Analyze Specific Hosts
Seção intitulada “Analyze Specific Hosts”# Monitor specific source IP
p0f -i eth0 -o results.txt 'src 192.168.1.100'
# Monitor specific destination
p0f -i eth0 'dst 10.0.0.0/8'
# Monitor subnet
p0f -i eth0 'src 192.168.1.0/24'Filter by Protocol
Seção intitulada “Filter by Protocol”# TCP traffic only
p0f -i eth0 'tcp'
# UDP traffic analysis
p0f -i eth0 'udp'
# ICMP echo requests
p0f -i eth0 'icmp[icmptype] == icmp-echo'Advanced Filtering
Seção intitulada “Advanced Filtering”# TCP SYN packets only
p0f -i eth0 'tcp[tcpflags] & tcp-syn == tcp-syn'
# Monitor specific port
p0f -i eth0 'dst port 80'
# Monitor port range
p0f -i eth0 'dst portrange 1024-65535'
# Complex filter
p0f -i eth0 '(tcp dst port 80 or tcp dst port 443) and src 10.0.0.0/8'Fingerprint Database
Seção intitulada “Fingerprint Database”View Fingerprints
Seção intitulada “View Fingerprints”# Show all known fingerprints
p0f -D
# List by OS category
p0f -D | grep -i "linux"
# Count fingerprints
p0f -D | wc -lUpdate Fingerprint Database
Seção intitulada “Update Fingerprint Database”# Check current database
p0f -D | head -20
# Download latest fingerprints
cd /etc/p0f
git clone https://github.com/lcamtuf/p0f.git
cp p0f/p0f.fp .
# Reload with custom database
p0f -F custom_fingerprints.fp -i eth0Custom Fingerprints
Seção intitulada “Custom Fingerprints”# Load custom fingerprint file
p0f -F my_fingerprints.fp -i eth0
# Multiple databases
p0f -F db1.fp -F db2.fp -i eth0
# Create custom entry format:
# [class] label = OS details
# s = SYN packet
# syn = SYN+ACK responseOutput Modes
Seção intitulada “Output Modes”Standard Output
Seção intitulada “Standard Output”# Verbose mode
p0f -v -i eth0
# Very verbose
p0f -vv -i eth0
# Quiet mode (minimal output)
p0f -q -i eth0File Output
Seção intitulada “File Output”# Write to file
p0f -i eth0 -o analysis.txt
# Append to file
p0f -i eth0 -o analysis.txt -a
# CSV-style output
p0f -i eth0 -o analysis.csv
# Continuous append mode
p0f -i eth0 -o results.log -uJSON Output
Seção intitulada “JSON Output”# JSON formatted output
p0f -i eth0 -o results.json
# Pretty JSON
p0f -i eth0 -o results.json -jDatabase-Driven Analysis
Seção intitulada “Database-Driven Analysis”Query Running Instance
Seção intitulada “Query Running Instance”# Query p0f daemon
p0fq
# Query specific host from database
p0fq -Q 192.168.1.100
# List all known hosts
p0fq -l
# Show statistics
p0fq -sDatabase Management
Seção intitulada “Database Management”# Use custom database file
p0f -s /tmp/p0f.sock -i eth0
# Query custom socket
p0fq -Q 192.168.1.100 -s /tmp/p0f.sock
# Export database
p0fq -d > p0f_database.txtPcap File Analysis
Seção intitulada “Pcap File Analysis”Analyze Packet Captures
Seção intitulada “Analyze Packet Captures”# Read pcap file
p0f -r capture.pcap
# Process multiple files
p0f -r capture1.pcap -r capture2.pcap
# Output to file
p0f -r capture.pcap -o fingerprints.txtGenerate Pcap Files
Seção intitulada “Generate Pcap Files”# Capture traffic for later analysis
tcpdump -i eth0 -w traffic.pcap
# Filter and save
tcpdump -i eth0 -w filtered.pcap 'tcp[tcpflags] & tcp-syn == tcp-syn'
# Analyze captured data
p0f -r filtered.pcap -vBatch Processing
Seção intitulada “Batch Processing”# Process pcap directory
for file in *.pcap; do
p0f -r "$file" -o "results_${file%.pcap}.txt"
done
# Process and combine
p0f -r *.pcap -o combined_results.txtNetwork Reconnaissance
Seção intitulada “Network Reconnaissance”Map Network Segment
Seção intitulada “Map Network Segment”# Monitor entire subnet passively
p0f -i eth0 'src 192.168.0.0/24' -o network_map.txt
# Detailed network profiling
p0f -i eth0 -vv 'src 10.0.0.0/8' -o detailed_scan.txt
# Long-term monitoring
nohup p0f -i eth0 'src 172.16.0.0/12' -o network_profile.txt &Detect Network Appliances
Seção intitulada “Detect Network Appliances”# Identify firewalls and NAT
p0f -i eth0 -v | grep -i 'firewall\|appliance\|gateway'
# Find load balancers
p0f -i eth0 -v | grep -i 'load.balancer'
# Detect proxies
p0f -i eth0 -v | grep -i 'proxy'Map Internal Network
Seção intitulada “Map Internal Network”# Passive network topology
p0f -i eth0 'src 10.0.0.0/8' -o topology.txt
# Analyze responses from internal systems
cat topology.txt | sort | uniq
# Identify system versions
grep -i "windows\|linux\|macos" topology.txt | wc -lBrowser and Client Identification
Seção intitulada “Browser and Client Identification”Detect HTTP Clients
Seção intitulada “Detect HTTP Clients”# Monitor HTTP traffic
p0f -i eth0 'tcp dst port 80'
# Identify browsers
p0f -i eth0 -v 'tcp dst port 80' | grep -i 'browser\|chrome\|firefox'
# User-agent analysis
p0f -i eth0 'tcp dst port 80' -o http_clients.txtApplication Fingerprinting
Seção intitulada “Application Fingerprinting”# Identify mobile devices
p0f -i eth0 -v | grep -i 'iphone\|android\|mobile'
# Detect specific software
p0f -i eth0 -v | grep -E 'apache|nginx|iis'
# Version detection
p0f -i eth0 -v | grep -oP '(version|v)[0-9.]+'Advanced Analysis
Seção intitulada “Advanced Analysis”Timing-Based Analysis
Seção intitulada “Timing-Based Analysis”# Monitor TCP timing patterns
p0f -i eth0 -vv -o timing_analysis.txt
# Analyze TTL patterns
p0f -i eth0 -v | grep -i ttl
# Window size analysis
p0f -i eth0 -v | grep -i windowStatistical Analysis
Seção intitulada “Statistical Analysis”# Fingerprint distribution
p0f -i eth0 -o stats.txt &
sleep 3600 # Run for 1 hour
# Analyze results
sort stats.txt | uniq -c | sort -rn
# Count by OS
grep -oP '(?<=: )[^ ]+' stats.txt | sort | uniq -cContinuous Monitoring
Seção intitulada “Continuous Monitoring”# Long-term network profiling
p0f -i eth0 -u -o network_profile.log
# Monitor for changes
watch -n 60 'tail -20 network_profile.log'
# Alert on new OS detected
while IFS= read -r line; do
if ! grep -q "$line" previous.log; then
echo "New system: $line" | mail -s "p0f Alert" admin@example.com
fi
done < network_profile.logIntegration and Automation
Seção intitulada “Integration and Automation”Log Analysis
Seção intitulada “Log Analysis”# Extract unique systems
p0f -i eth0 -o results.txt &
sleep 300
sort results.txt | uniq > unique_systems.txt
# Combine with IDS alerts
cat p0f_results.txt snort_alerts.txt > combined_intelligence.txtCorrelation with Other Tools
Seção intitulada “Correlation with Other Tools”# Combine with nmap
nmap -sn 192.168.1.0/24 > nmap_results.txt
p0f -i eth0 'src 192.168.1.0/24' > p0f_results.txt
# Cross-reference findings
diff <(cut -d: -f1 nmap_results.txt | sort) \
<(cut -d' ' -f1 p0f_results.txt | sort)Alert Generation
Seção intitulada “Alert Generation”# Monitor for specific OS
p0f -i eth0 'src 192.168.1.0/24' |
grep -i "windows xp" && \
echo "Legacy OS detected!" | mail -s "Alert" admin@example.com
# Alert on anomalies
p0f -i eth0 -u -o current.log
diff baseline.log current.log | mail -s "Network Changes" admin@example.comPerformance Optimization
Seção intitulada “Performance Optimization”Resource Management
Seção intitulada “Resource Management”# Monitor resource usage
p0f -i eth0 &
ps aux | grep p0f
# Limit to high-priority traffic
p0f -i eth0 'tcp port 80 or tcp port 443 or tcp port 22'
# Reduce verbosity for lower overhead
p0f -q -i eth0 -o results.txtHigh-Performance Monitoring
Seção intitulada “High-Performance Monitoring”# Use packet memory limit
p0f -m 100000 -i eth0
# Bond multiple interfaces
p0f -i eth0 -i eth1 -i eth2 -o combined.txt
# Background operation with low priority
nice -n 19 p0f -i eth0 -o results.txt &Troubleshooting
Seção intitulada “Troubleshooting”Connection Issues
Seção intitulada “Connection Issues”# Check interface status
p0f -i ?
# Verify permissions
sudo p0f -i eth0
# Test with pcap file
p0f -r sample.pcapNo Results
Seção intitulada “No Results”# Increase verbosity
p0f -vv -i eth0
# Check for packet loss
p0f -i eth0 | head -20
# Verify filters
p0f -i eth0 'tcp' -vDatabase Problems
Seção intitulada “Database Problems”# Check fingerprint file
ls -la /etc/p0f/
# Verify database syntax
p0f -D | head -20
# Use built-in database only
p0f -F /usr/share/p0f/p0f.fp -i eth0Best Practices
Seção intitulada “Best Practices”Pre-Assessment Setup
Seção intitulada “Pre-Assessment Setup”- Obtain authorization for network monitoring
- Document baseline system configurations
- Establish monitoring scope and duration
- Configure appropriate filters
- Verify target interface accessibility
Monitoring Strategy
Seção intitulada “Monitoring Strategy”# Standard monitoring setup
sudo p0f -i eth0 \
-o p0f_$(date +%Y%m%d_%H%M%S).log \
-u \
-v
# Background daemon
sudo nohup p0f -i eth0 \
-o p0f_monitoring.log \
-s /tmp/p0f.sock \
> /dev/null 2>&1 &Data Management
Seção intitulada “Data Management”# Organize results by date
mkdir -p p0f_results/$(date +%Y/%m/%d)
# Archive results
tar -czf p0f_$(date +%Y%m%d).tar.gz p0f_results/
# Rotate logs
find p0f_results/ -mtime +30 -exec gzip {} \;Legal and Ethical Considerations
Seção intitulada “Legal and Ethical Considerations”p0f should only be used:
- On networks you own or have authorization to monitor
- For authorized security assessments
- In compliance with applicable laws
- Respecting privacy and data protection regulations
- With proper documentation and logging
Always maintain:
- Written authorization documentation
- Detailed activity logs
- Clear scope definition
- Professional ethical standards
- Confidentiality of findings
Resources
Seção intitulada “Resources”- Official GitHub: https://github.com/lcamtuf/p0f
- p0f documentation
- TCP/IP stack fingerprinting theory
- Network traffic analysis guides
- Passive reconnaissance methodology