p0f, and various reimplementation such as libp0f and dsniff, are passive operating system (OS) fingerprinting tools that attempts to determine the OS of a system based on the TCP traffic it generates – specifically SYN, SYN+ACK, and RST/RST+ACK packets. The technique relies on configuration differences of various network stack implementations.
The efficacy of p0f is dependent on an up-to-date signatures set. However, since its release in 2006, the original fingerprint database has not been maintained and does not reflect new operating systems.
The CERT p0f fingerprint database is an update to the original set of fingerprints included with p0f version 2.0.8. At this time, only the SYN fingerprint database (p0f.fp) has been updated.
As of version p0f.fp.2012032901, the following OSes and tools were added to the 2006 distribution
- FreeBSD 7.x, 8.x, 9.x
- iOS 3.x, 4.x, 5.x
- Mac OSX 10.x
- Sony PlayStation 3
- Windows Vista, 7, 2008, 9 (Consumer Preview)
- nmap 5
Additionally, Linux distribution information was added to the original and new fingerprints. Annotation for the following distributions was added
- CentOS 3.x, 4.x, 5.x, 6.x
- Chromium 5.x
- Fedora Core 3,4,5,6,7,8,9,10,11,12,13,14,15,16
- Gentoo 10.x, 11.x
- Knoppix 6.x
- Mandrake/Mandriva 2008.x, 2009.x, 2010.x
- OpenSuse 11.x, 12.x
- Slackware 12.x, 13.x
- Ubuntu 4,5,6,7,8,9,10,11.x
Installing and using the signatures
p0f can accept an alternate fingerprint database by using the “-f” command line option. The following example starts p0f, uses the “p0f.fp.newsig” SYN fingerprint database, on the PCAP file “test.pcap”
By default, p0f will also search for p0f.fp in the current directory (on Windows and Unix) and in “/etc/p0f” (on Unix). The provided signature files can be renamed and put into these directories to be used by default.
|Diff from Previous||Changes|
|p0f.fp.2012032901||03/29/2012||2012032901.diff||3 updated, 6 new, 0 deleted||e8bcf8d01c343d5225392bbb868fa93a|
|2011100301.diff||11 updated, 26 new, 0 deleted|
The CERT p0f signature database is only compatible with p0f version 2.0.x implementations.
If you have bug reports, patches, feedback, or questions please send them to firstname.lastname@example.org.