p0f

p0f [options] [filter]

p0f is a passive OS, application, and link-type fingerprinter. It listens to TCP/IP traffic without sending any packets and infers the remote operating system, MTU/uplink, NAT presence, and approximate uptime from quirks of the SYN, SYN+ACK, and HTTP traffic it observes.Because it never probes the target, p0f is invisible on the wire and well-suited to forensic analysis of pcaps, fingerprinting visitors of a public-facing service, and detecting policy violations such as un-NATted devices behind a firewall.

-i INTERFACE

Listen on the named network interface.

Read packets from a pcap capture file instead of a live interface.

Append fingerprinting results to FILE (text log).

Write captured packets to a new pcap file (similar to tcpdump -w).

Listen on PATH as a Unix domain socket for API queries.

Run as a daemon in the background. Requires -o or -s.

Drop privileges to USER after opening the capture interface.

Put the interface into promiscuous mode.

Use FILE as the fingerprint database (default: /etc/p0f/p0f.fp).

Set the max number of concurrent API connections.

Restrict output by chrooting to DIR.

List available capture interfaces and exit.

Display help information.

Needs raw socket / CAP_NET_RAW access (or root). Detection quality depends on having a current p0f.fp signature database. p0f v3 is a rewrite that does not read v2 fingerprint files; ensure the bundled fingerprints match the binary version.

p0f was created by Michal Zalewski for passive TCP/IP stack fingerprinting.

nmap(1), tcpdump(1), wireshark(1)