p0f
 | This article needs additional citations for verification. (April 2010) |
 The p0f command | |
| Developer(s) | Michał Zalewski |
|---|---|
| Stable release | 3.09b
/ 18 April 2016 |
| Written in | C |
| Operating system | Linux, Macintosh, Microsoft Windows |
| Type | TCP/IP stack fingerprinting |
| Website | lcamtuf |
p0f is a passive TCP/IP stack fingerprinting tool. p0f can attempt to identify the system running on machines that send network traffic to the box it is running on, or to a machine that shares a medium with the machine it is running on. p0f can also assist in analysing other aspects of the remote system.
Overview[edit]
By inspecting network traffic passively, p0f can attempt to identify the operating systems on remote machines that send TCP packets to the detecting machine's network interface, or to a physical subnet that the detecting machine can listen on.[1] Since version 3, p0f is also able to deduce aspects of the remote system by inspecting application-level HTTP messages.[1]
p0f can also check for firewall presence. It can estimate the distance to a remote system and calculate its uptime. It also guesses the remote system's means of connecting to the network (DSL, OC3, etc.).[1]
Unlike tools like nmap, p0f does not generate traffic.[1] Instead, it determines the operating system of the remote host by analyzing certain fields in the captured packets. This can have benefits in environments where actively creating network traffic would cause unhelpful side effects. In particular, the remote system will not be able to detect the packet capture and inspection.
Usage[edit]
Signatures used for packet inspection are stored in a simple text file.[2] This allows them to be modified without recompiling p0f. The user is allowed to use a different fingerprinting file by selecting another one at run time.
p0f does not use a graphical user interface: it is run from the command line prompt.