p0f

p0f [options] [filter]

-h
    Show help and usage information.

-o
    Write statistics to the specified file.

-Q
    Write connection history to the specified file.

-d
    Daemon mode; detach from terminal.

-s
    Snaplen; truncate packets after bytes.

-i
    Listen on the specified interface.

-r
    Read packets from the specified pcap file.

-p
    Promiscuous mode

-u
    Drop privileges to the specified user.

-g
    Drop privileges to the specified group.

-Z
    Disable compiler optimizations.

-v
    Verbose mode (can be used multiple times).

-x
    Explain mode.

[filter]
    Berkeley Packet Filter (BPF) expression to filter traffic.

p0f is a versatile passive OS fingerprinting tool. Instead of actively probing a system, p0f passively analyzes network traffic, primarily TCP SYN packets, to identify the operating system, kernel version, and even the distance (TTL hops) to the remote host. It operates without generating any network traffic itself, making it stealthy and suitable for network monitoring and security analysis. p0f is particularly useful for identifying devices that may be masquerading their true OS or for understanding the diversity of devices on a network.
It works by examining a variety of TCP header fields, including MSS, window size, TTL, and options. p0f compares these characteristics against a database of known OS fingerprints.
p0f is also able to fingerprint HTTP traffic, and can extract details about the browser, plugins installed, and the platform used. By doing this, p0f is able to identify the device used with a high degree of accuracy.

The accuracy of p0f depends heavily on the quality and completeness of its signature database. It might not be able to accurately identify very new or rare operating systems. Also, systems using TCP stack hardening or other obfuscation techniques can evade detection.

p0f provides detailed information about each connection it fingerprints, including the OS name, version, link type, and distance. The output format may vary slightly depending on the version of p0f used. Pay attention to the 'uptime' field, which indicates how long the system has been running (estimated from TCP timestamps). This information can be valuable in assessing system stability and identifying potential reboots.

The optional BPF filter argument allows you to restrict p0f's analysis to specific types of traffic. For example, you can use 'tcp port 80' to analyze only HTTP traffic or 'host 192.168.1.100' to analyze traffic to/from a specific host. Using BPF filters can improve performance and reduce the amount of output generated by p0f.

p0f was originally developed by Michal Zalewski (lcamtuf) and has been maintained and updated by various contributors over time. It quickly gained popularity within the security community due to its passive nature and effectiveness in identifying operating systems. The tool has been continuously improved to incorporate new signatures and adapt to evolving TCP/IP stack implementations.

tcpdump(1), wireshark(1)