Information Gatheringpassiveosfingerprintingsniffingnetworkdetection

p0f

p0f is a passive OS fingerprinting tool that identifies remote systems based on SYN packets without sending any data. It determines OS, distance to hosts, and network structure while supporting tcpdump-style filtering.

Description

p0f performs passive OS detection by analyzing SYN packets, distinguishing it from active tools like nmap and queso that send probe data. It can determine the distance to remote hosts and reveal the structure of foreign or local networks. When deployed on a network gateway, p0f gathers extensive data for useful statistics.

On user-end computers, it serves as a powerful IDS add-on. The tool supports full tcpdump-style filtering expressions and uses an extensible fingerprinting database loaded from '/etc/p0f/p0f.fp'. It logs detailed information including client IP, OS predictions, distance, parameters, and raw signatures.

p0f is ideal for passive reconnaissance, network monitoring, and intrusion detection without generating suspicious traffic.

How It Works

p0f passively analyzes TCP SYN packets to match signatures from its fingerprint database (/etc/p0f/p0f.fp), identifying OS, dist, params, and raw_sig without transmitting data. It intercepts traffic on specified interfaces in promiscuous mode, applies VLAN-aware packet filtering, and logs matches with details like client/port, OS (e.g., Linux 3.11+), and signature components (mss, sok, ts, etc.). API support via unix sockets and caching optimize performance for high-volume analysis.

Installation

bash
sudo apt install p0f

Flags

-i ifacelisten on the specified network interface
-r fileread offline pcap data from a given file
-pput the listening interface in promiscuous mode
-Llist all available interfaces
-f fileread fingerprint database from 'file' (/etc/p0f/p0f.fp)
-o filewrite information to the specified log file
-s nameanswer to API queries at a named unix socket
-u userswitch to the specified unprivileged account and chroot
-dfork into background (requires -o or -s)
-S limitlimit number of parallel API connections (20)
-t c,hset connection / host cache age limits (30s,120m)
-m c,hcap the number of active connections / hosts (1000,10000)

Examples

Use interface eth0 in promiscuous mode, saving results to /tmp/p0f.log
p0f -i eth0 -p -o /tmp/p0f.log
Intercept traffic on interface eth0 with default settings
p0f -i eth0
Put the listening interface in promiscuous mode
p0f -p
Write information to the specified log file
p0f -o /tmp/p0f.log
Read offline pcap data from a given file
p0f -r file.pcap
List all available interfaces
p0f -L
Answer to API queries at a named unix socket
p0f -s api.sock
Fork into background and log to file
p0f -d -o /tmp/p0f.log
Updated 2026-04-16kali.org ↗