p0f

p0f [ -i interface ] [ -r file ] [ -s file ] [ -o file ] [ -M count ] [ -F file ] [ -c size ] [ -N ] [ -L ] [ -u user ] [ -P file ] [ -C file ] [ -v ] [ -h ]

-i interface
    Specifies the network interface to listen on for live packet capture.

-r file
    Reads packets from the specified pcap file instead of a live interface.

-s file
    Reads a previously saved p0f state file, allowing for continuation of analysis.

-o file
    Writes the output to the specified file instead of standard output.

-M count
    Sets the maximum number of concurrent connections p0f will track.

-F file
    Loads configuration directives from the specified file.

-c size
    Sets the maximum size of the fingerprint cache in number of entries.

-N
    Disables promiscuous mode on the listening interface. Use with caution as it may miss packets.

-L
    Disables MAC address lookups, useful for speeding up processing or when MAC data is not needed.

-u user
    Drops root privileges after initialization and runs as the specified user.

-P file
    Persists current state to the specified file upon exit, which can be reloaded later with -s.

-C file
    Loads custom fingerprint signatures from the specified file, extending p0f's detection capabilities.

-v
    Enables verbose output, showing more details about packets and internal operations.

-h
    Displays the help message and exits.

p0f is a versatile passive OS fingerprinting tool that identifies the operating system, type, and sometimes applications (e.g., HTTP user-agent, SSH version) of remote hosts. It works by passively observing network traffic, analyzing subtle variations in TCP/IP stack implementations, HTTP headers, SSH banners, and other application-level data. Unlike active scanners, p0f does not send any packets, making it undetectable to the target.

It's highly valuable for network reconnaissance, security audits, incident response, and understanding network composition without generating network noise. p0f can also detect NAT devices, load balancers, and identify connection types, relying on an extensive database of signatures to provide accurate, real-time insights into network participants.

Passive OS fingerprinting is not always 100% accurate; it can be affected by network middleboxes (NATs, proxies, firewalls) that modify packet headers, or by highly customized TCP/IP stacks. Accuracy also depends on an up-to-date signature database. Running p0f for live capture usually requires root privileges or appropriate capabilities.

p0f outputs detailed information for each identified connection, typically including:
cli / srv: Denotes client or server.
ID: Unique connection identifier.
src / dst: Source/destination IP addresses and ports.
os: Operating system and version.
dist: IP distance (number of hops).
uptime: Estimated system uptime.
raw_mtu: Reported MTU.
link: Link type (e.g., Ethernet, PPP).
p0f_info: Additional details like NAT detection, load balancer, or specific application versions.

p0f was originally developed by Michał Zalewski (lcamtuf), with the first version appearing around 2000. It quickly gained recognition for its innovative passive fingerprinting approach. Version 2 was a significant rewrite, improving on its predecessor. The current stable version, p0f v3, released in 2012, represents another complete rewrite from scratch, significantly enhancing its accuracy, performance, and expanding its capabilities to include application-level fingerprinting (like HTTP and SSH). It continues to be a go-to tool for stealthy network intelligence.

nmap(1), tcpdump(8), wireshark(1), tshark(1)