CERT
Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

p0f, and various reimplementation such as libp0f and dsniff, are passive operating system (OS) fingerprinting tools that attempts to determine the OS of a system based on the TCP traffic it generates – specifically SYN, SYN+ACK, and RST/RST+ACK packets. The technique relies on configuration differences of various network stack implementations.

The efficacy of p0f is dependent on an up-to-date signatures set. However, since its release in 2006, the original fingerprint database has not been maintained and does not reflect new operating systems.

The CERT p0f fingerprint database is an update to the original set of fingerprints included with p0f version 2.0.8. At this time, only the SYN fingerprint database (p0f.fp) has been updated.

Signature Coverage

As of version p0f.fp.2012032901, the following OSes and tools were added to the 2006 distribution

  • FreeBSD 7.x, 8.x, 9.x
  • iOS 3.x, 4.x, 5.x
  • Mac OSX 10.x
  • OpenSolaris
  • Linux
  • Sony PlayStation 3
  • Windows Vista, 7, 2008, 9 (Consumer Preview)
  • sinfp
  • nmap 5

Additionally, Linux distribution information was added to the original and new fingerprints. Annotation for the following distributions was added

  • CentOS 3.x, 4.x, 5.x, 6.x
  • Chromium 5.x
  • Fedora Core 3,4,5,6,7,8,9,10,11,12,13,14,15,16
  • Gentoo 10.x, 11.x
  • Knoppix 6.x
  • Mandrake/Mandriva 2008.x, 2009.x, 2010.x
  • OpenSuse 11.x, 12.x
  • Slackware 12.x, 13.x
  • Ubuntu 4,5,6,7,8,9,10,11.x

Installing and using the signatures

p0f can accept an alternate fingerprint database by using the “-f” command line option. The following example starts p0f, uses the “p0f.fp.newsig” SYN fingerprint database, on the PCAP file “test.pcap”

By default, p0f will also search for p0f.fp in the current directory (on Windows and Unix) and in “/etc/p0f” (on Unix). The provided signature files can be renamed and put into these directories to be used by default.

Download

Signature File

Release Date

Diff from PreviousChanges

MD5 signature

p0f.fp.201203290103/29/20122012032901.diff3 updated, 6 new, 0 deletede8bcf8d01c343d5225392bbb868fa93a

p0f.fp.2011100301

10/03/2011

2011100301.diff11 updated, 26 new, 0 deleted

eaf5d017ea14c2925187ecac88e82119

Known Issues

The CERT p0f signature database is only compatible with p0f version 2.0.x implementations.

Contact

If you have bug reports, patches, feedback, or questions please send them to netsa-help@cert.org.