p0f v3 (version 3.06b)

Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>

Yeah, it's back!

1. What's this?

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Some of p0f's capabilities include:

The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.

Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.

You can read more about its design and operation in this document. In one form or another, earlier versions of p0f are used in a wide variety of projects, including pfsense, Ettercap, PRADS, amavisd, milter, postgrey, fwknop, Satori, the OpenBSD firewall, and an assortment of commercial tools.

Fun fact: The idea for p0f dates back to June 10, 2000. Today, almost all applications that do passive OS fingerprinting either simply reuse p0f for TCP-level checks (Ettercap, Disco, PRADS, Satori), or use inferior approaches that, for example, pay no attention to the intricate relationship between host's window size and MTU (SinFP).

2. What's the output?

A snippet of typical p0f output may look like this: .-[ 1.2.3.4/1524 -> 4.3.2.1/80 (syn) ]- | | client = 1.2.3.4 | os = Windows XP | dist = 8 | params = none | raw_sig = 4:120+8:0:1452:65535,0:mss,nop,nop,sok:df,id+:0 | `---- .-[ 1.2.3.4/1524 -> 4.3.2.1/80 (mtu) ]- | | client = 1.2.3.4 | link = DSL | raw_mtu = 1492 | `---- .-[ 1.2.3.4/1524 -> 4.3.2.1/80 (uptime) ]- | | client = 1.2.3.4 | uptime = 0 days 11 hrs 16 min (modulo 198 days) | raw_freq = 250.00 Hz | | `---- .-[ 1.2.3.4/1524 -> 4.3.2.1/80 (http request) ]- | | client = 1.2.3.4/1524 | app = Firefox 5.x or newer | lang = English | params = none | raw_sig = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml... | `----

3. Can I have it?

Yup: click here to download the current release (3.06b), or here to browse older releases, including 2.0.x and 1.8.x.

Please keep in mind that p0f v3 is a complete rewrite of the original tool, including a brand new database of signatures. We are starting from scratch, so especially for the first few releases, please be sure to submit new signatures and report bugs with special zeal! I am particularly interested in:

4. Just show me how it works, OK?

Not all capabilities of p0f can be showcased here, and as noted, this release candidate still has a relatively small database of fingerprints. That said, here's the most recent positive match p0f has for your IP:

Detected OS = unknown HTTP client = unknown Network link = Ethernet or modem Distance = 21 Language = English Uptime = 8 days 23 hrs 2 min (modulo 198 days) Note that the result may be affected by transparent proxies set up by your ISP or your employer, and so on. Especially if you are seeing a dramatic mismatch (e.g. Windows misidentified as Linux), it's fairly unlikely that p0f is wrong. Cellular operators are particularly notorious for intercepting traffic.

Okay, now here's your chance to do a good deed. If some of that information is incorrect, or if p0f simply could not identify you at all, please complete this short questionnaire:

Name, version, patchlevel of your OS:
For example, 'Windows XP SP2' or 'Linux 3.1.2'
Name and version of your browser:
For example, 'Firefox 8.0' or 'lynx 2.8.5'
Any factors that may affect TCP or HTTP traffic?
TCP performance tweaks, VPN, transparent and regular proxies, Tor, etc.
Your contact e-mail (optional):
This is so that I can follow up with you if I have questions. Please provide one!

5. Contact

Please submit questions, comments, patches, signatures, and chocolate to <lcamtuf@coredump.cx>. If you want to be nice, you can also buy this.