p0f v3 (version 3.09b)
Copyright (C) 2012-2014 by Michal Zalewski <email@example.com>
Yeah, it's back!
1. What's this?
P0f is a tool that utilizes an array of sophisticated, purely passive traffic
fingerprinting mechanisms to identify the players behind any incidental TCP/IP
communications (often as little as a single normal SYN) without interfering in
any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant
number of improvements to network-level fingerprinting, and introducing the ability to reason
about application-level payloads (e.g., HTTP).
Some of p0f's capabilities include:
The tool can be operated in the foreground or as a daemon, and offers a simple
real-time API for third-party components that wish to obtain additional
information about the actors they are talking to.
- Highly scalable and extremely fast identification of the operating system
and software on both endpoints of a vanilla TCP connection - especially in
settings where NMap probes are blocked, too slow, unreliable, or would
simply set off alarms.
- Measurement of system uptime and network hookup, distance (including
topology behind NAT or packet filters), user language preferences, and so on.
- Automated detection of connection sharing / NAT, load balancing, and
application-level proxying setups.
- Detection of clients and servers that forge declarative statements
such as X-Mailer or User-Agent.
Common uses for p0f include reconnaissance during penetration tests; routine
network monitoring; detection of unauthorized network interconnects in corporate
environments; providing signals for abuse-prevention tools; and miscellanous
You can read more about its design and operation in
this document. In one form or another,
earlier versions of p0f are used in a wide variety of projects, including
the OpenBSD firewall, and an assortment of commercial tools.
Fun fact: The idea for p0f dates back to
June 10, 2000. Today,
almost all applications that do passive OS fingerprinting either simply reuse p0f
for TCP-level checks (Ettercap, Disco, PRADS, Satori), or use inferior approaches that,
for example, pay no attention to the intricate relationship between host's
window size and MTU (SinFP).
2. What's the output?
A snippet of typical p0f output may look like this:
.-[ 220.127.116.11/1524 -> 18.104.22.168/80 (syn) ]-
| client = 22.214.171.124
| os = Windows XP
| dist = 8
| params = none
| raw_sig = 4:120+8:0:1452:65535,0:mss,nop,nop,sok:df,id+:0
.-[ 126.96.36.199/1524 -> 188.8.131.52/80 (mtu) ]-
| client = 184.108.40.206
| link = DSL
| raw_mtu = 1492
.-[ 220.127.116.11/1524 -> 18.104.22.168/80 (uptime) ]-
| client = 22.214.171.124
| uptime = 0 days 11 hrs 16 min (modulo 198 days)
| raw_freq = 250.00 Hz
.-[ 126.96.36.199/1524 -> 188.8.131.52/80 (http request) ]-
| client = 184.108.40.206/1524
| app = Firefox 5.x or newer
| lang = English
| params = none
| raw_sig = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml...
3. Can I have it?
Yup: click here to download the current release (3.09b), or here to browse
older releases, including 2.0.x and 1.8.x.
Please keep in mind that p0f v3 is a complete rewrite of the original tool, including a brand new database of signatures. We are starting
from scratch, so especially for the first few releases, please be sure to submit new signatures and report bugs with special zeal! I am particularly
- TCP SYN ("who is connecting to me?") signatures for a variety of systems - especially from some of the older, more exotic, or more specialized platforms,
such as Windows 9x, NetBSD, IRIX, Playstation, Cisco IOS, etc. To do this, you simply need to attempt establishing a connection to a box running p0f.
The connection does not need to succeed.
- TCP SYN+ACK signatures ("who am I connecting to?"). The current database is minimal, so all contributions are welcome. To collect these signatures, you
need to compile the supplied p0f-sendsyn tool, and then use it to initiate a connection to an open port on a remote host; see
README for more.
- HTTP request signatures - especially for older or more exotic browsers (e.g. MSIE5, mobile devices, gaming consoles), crawlers, command-line tools, and
libraries. To collect a signature, you can run p0f on the client system itself, or on the web server it talks to.
- HTTP response signatures. P0f ships with a minimal database here (only Apache 2.x has any real coverage). Signatures are best collected for three
separate cases: several minutes of casual browsing with a modern browser; a request with curl; and another one with wget.
4. Just show me how it works, OK?
Not all capabilities of p0f can be showcased here, and as noted, this release candidate still has a relatively small database of fingerprints. That said,
here's the most recent positive match p0f has for your IP:
Detected OS = unknown
HTTP client = unknown
Network link = Ethernet or modem
Distance = 13
Language = unknown
Uptime = 5 days 1 hrs 42 min (modulo 198 days)
Note that the result may be affected by transparent proxies set up by your ISP or your employer,
and so on. Especially if you are seeing a dramatic mismatch (e.g. Windows misidentified as Linux), it's fairly unlikely
that p0f is wrong. Cellular operators are particularly notorious for intercepting traffic.
Okay, now here's your chance to do a good deed. If some of that information is incorrect, or if p0f simply
could not identify you at all, please complete this short questionnaire:
Please submit questions, comments, patches, signatures, and chocolate to
<firstname.lastname@example.org>. You can also
follow me on Twitter.