VOOZH about

URL: https://en.wikipedia.org/wiki/P0f

⇱ p0f - Wikipedia

Jump to content
From Wikipedia, the free encyclopedia
Passive TCP/IP stack fingerprinting tool

p0f is a passive TCP/IP stack fingerprinting tool developed by Michał Zalewski. It is used to identify characteristics of remote hosts by observing existing network traffic, rather than by sending active probes to the target system.[1]

p0f
👁 Image
The p0f command
DeveloperMichał Zalewski
Stable release
3.09b[2] / 18 April 2016; 10 years ago (2016-04-18)[3]
Written inC
Operating systemLinux, FreeBSD, OpenBSD, macOS, Microsoft Windows
TypeTCP/IP stack fingerprinting, network security
LicenseLGPL-2.1-only[2]
Websitelcamtuf.coredump.cx/p0f3/

Overview

[edit]

p0f works by inspecting fields in captured IP and TCP packets. For TCP/IP traffic, it examines information such as the initial TTL, maximum segment size, TCP option ordering, window size and other implementation-specific properties of network packets.[1] These values are compared with entries in a fingerprint database in order to infer the likely operating system or software that generated the traffic.[1]

Because p0f is passive, it does not send fingerprinting probes to the remote host. This distinguishes it from active scanning tools such as Nmap, which can generate specially crafted packets for host discovery and operating-system detection.[4] Passive fingerprinting can be useful in environments where generating additional traffic is undesirable, unreliable or likely to trigger alarms.[1]

In addition to operating system fingerprinting, p0f can report other network characteristics, including approximate distance, system uptime, link type and signs of NAT, load balancing or application-level proxying.[1] Version 3 also includes application-level fingerprinting support for HTTP traffic.[1]

History

[edit]

An early version of p0f was announced on the Bugtraq mailing list in 2000 as a passive operating-system fingerprinting tool.[5] Version 3 was a major rewrite of the earlier codebase and introduced improved TCP fingerprinting, IPv6 support, stateful traffic inspection, application-level fingerprinting modules and a redesigned local API.[1]

Usage

[edit]

p0f is normally run from the command line. It can listen on a live network interface or read packets from a saved pcap capture file.[1] The program can also run as a daemon and write observations to a log file, or expose information through a local API socket for use by other programs.[1]

The signatures used by p0f are stored in a plain-text fingerprint database file, usually named p0f.fp.[1] Users can provide a different fingerprint file at run time, allowing signatures to be updated or modified without recompiling the program.[1]

See also

[edit]

References

[edit]
  1. ^ a b c d e f g h i j k Zalewski, Michał (2012). "p0f v3: passive fingerprinter". lcamtuf.coredump.cx. Retrieved 1 June 2026.
  2. ^ a b "p0f". Homebrew Formulae. Retrieved 1 June 2026.
  3. ^ "Contents of p0f-3.09b.tgz". Fossies. 18 April 2016. Retrieved 1 June 2026.
  4. ^ Lyon, Gordon Fyodor (2009). "Fingerprinting Methods Avoided by Nmap". Nmap Network Scanning. Nmap Project. Retrieved 1 June 2026.
  5. ^ Zalewski, Michał (10 June 2000). "p0f - passive os fingerprinting tool". Bugtraq (Mailing list). Retrieved 1 June 2026.

External links

[edit]
Categories:
Hidden categories: