What is p0f?
Passive OS Fingerprinting (p0f) is the passive collection of layer 4 configuration attributes that can be used to deduce the operating system that is communicating over the network. p0f uses TCP/IP header information such as initial packet size, window size, and flags to form a signature, or fingerprint, for that operating system.
libp0f is a library implementation of p0f version 2 retrieved from http://lcamtuf.coredump.cx/p0f.shtml. This library splits the core p0f functionality from the p0f application in order to support 3rd-party linkage. The p0f library is installed as libp0f.so into /usr/local/lib by default. libp0f does not change any of the fingerprinting algorithms from p0f version 2, nor has it upgraded any of the p0f fingerprints. Do not install both the p0f application and the library. The library is required for use with YAF. To enable p0f in YAF, configure YAF with --enable-p0fprinter, and run YAF with --p0fprint.
Configuring YAF with libp0f
It may be necessary to set the PKG_CONFIG_PATH and LD_LIBRARY_PATH environment variables for YAF to find libp0f.
Running YAF with p0f
Running YAF with p0f will export 6 new fields, OS Name, OS Version, OS Fingerprint, Reverse OS Name, Reverse OS Version, and Reverse OS Fingerprint, in the p0f template of the SubTemplateMultiList (see here for more info on YAF templates).
YAF will export these new fields only if it finds a match. SiLK currently does not have support for these fields. Checkout the following links to YAF mediators that will allow you to collect and view the p0f fields:
If you have bug reports, patches, feedback, or questions please send them to email@example.com.