Copyright (C) 2000-2014 by Michal Zalewski <lcamtuf@coredump.cx>
P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Some of p0f's capabilities include:
Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection - especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.
The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.
Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.
You can read more about its design and operation in this document. In one form or another, earlier versions of p0f are used in a wide variety of projects, including pfsense, Ettercap, PRADS, amavisd, milter, postgrey, fwknop, Satori, the OpenBSD firewall, and an assortment of commercial tools.
Fun fact: The idea for p0f dates back to June 10, 2000. Today, almost all applications that do passive OS fingerprinting either simply reuse p0f for TCP-level checks (Ettercap, Disco, PRADS, Satori), or use inferior approaches that, for example, pay no attention to the intricate relationship between host's window size and MTU (SinFP).
A snippet of typical p0f output may look like this:
Yup: click here to download the current release (3.09b), or here to browse older releases, including 2.0.x and 1.8.x.
Please keep in mind that p0f v3 is a complete rewrite of the original tool, including a brand new database of signatures. We are starting from scratch, so especially for the first few releases, please be sure to submit new signatures and report bugs with special zeal! I am particularly interested in:
TCP SYN ("who is connecting to me?") signatures for a variety of systems - especially from some of the older, more exotic, or more specialized platforms, such as Windows 9x, NetBSD, IRIX, Playstation, Cisco IOS, etc. To do this, you simply need to attempt establishing a connection to a box running p0f. The connection does not need to succeed.
TCP SYN+ACK signatures ("who am I connecting to?"). The current database is minimal, so all contributions are welcome. To collect these signatures, you need to compile the supplied p0f-sendsyn tool, and then use it to initiate a connection to an open port on a remote host; see README for more.
HTTP request signatures - especially for older or more exotic browsers (e.g. MSIE5, mobile devices, gaming consoles), crawlers, command-line tools, and libraries. To collect a signature, you can run p0f on the client system itself, or on the web server it talks to.
HTTP response signatures. P0f ships with a minimal database here (only Apache 2.x has any real coverage). Signatures are best collected for three separate cases: several minutes of casual browsing with a modern browser; a request with curl; and another one with wget.
I had a demo set up here, but now that my server is behind a load balancer, it's no longer working - sorry.
Please submit questions, comments, patches, signatures, and chocolate to <lcamtuf@coredump.cx>. You can also follow me on Mastodon or Twitter. For other features, check out my homepage.