p0f is a passive TCP/IP stack fingerprinting tool developed by Michał Zalewski. It is used to identify characteristics of remote hosts by observing existing network traffic, rather than by sending active probes to the target system.1
Overview
p0f works by inspecting fields in captured IP and TCP packets. For TCP/IP traffic, it examines information such as the initial TTL, maximum segment size, TCP option ordering, window size and other implementation-specific properties of network packets.1 These values are compared with entries in a fingerprint database in order to infer the likely operating system or software that generated the traffic.1
Because p0f is passive, it does not send fingerprinting probes to the remote host. This distinguishes it from active scanning tools such as Nmap, which can generate specially crafted packets for host discovery and operating-system detection.4 Passive fingerprinting can be useful in environments where generating additional traffic is undesirable, unreliable or likely to trigger alarms.1
In addition to operating system fingerprinting, p0f can report other network characteristics, including approximate distance, system uptime, link type and signs of NAT, load balancing or application-level proxying.1 Version 3 also includes application-level fingerprinting support for HTTP traffic.1
History
An early version of p0f was announced on the Bugtraq mailing list in 2000 as a passive operating-system fingerprinting tool.5 Version 3 was a major rewrite of the earlier codebase and introduced improved TCP fingerprinting, IPv6 support, stateful traffic inspection, application-level fingerprinting modules and a redesigned local API.1
Usage
p0f is normally run from the command line. It can listen on a live network interface or read packets from a saved pcap capture file.1 The program can also run as a daemon and write observations to a log file, or expose information through a local API socket for use by other programs.1
The signatures used by p0f are stored in a plain-text fingerprint database file, usually named p0f.fp.1 Users can provide a different fingerprint file at run time, allowing signatures to be updated or modified without recompiling the program.1
References
References
- Zalewski, Michał (2012). "p0f v3: passive fingerprinter". lcamtuf.coredump.cx. Retrieved 1 June 2026.
- "p0f". Homebrew Formulae. Retrieved 1 June 2026.
- "Contents of p0f-3.09b.tgz". Fossies. 18 April 2016. Retrieved 1 June 2026.
- Lyon, Gordon Fyodor (2009). "Fingerprinting Methods Avoided by Nmap". Nmap Network Scanning. Nmap Project. Retrieved 1 June 2026.
- Zalewski, Michał (10 June 2000). "p0f - passive os fingerprinting tool". Bugtraq (Mailing list). Retrieved 1 June 2026.