Software Assurance Secure Systems Organizational Security Coordinating Response Training
Skip to end of metadata
Go to start of metadata

p0f, and various reimplementation such as libp0f and dsniff, are passive operating system (OS) fingerprinting tools that attempts to determine the OS of a system based on the TCP traffic it generates – specifically SYN, SYN+ACK, and RST/RST+ACK packets. The technique relies on configuration differences of various network stack implementations.

The efficacy of p0f is dependent on an up-to-date signatures set. However, since its release in 2006, the original fingerprint database has not been maintained and does not reflect new operating systems.

The CERT p0f fingerprint database is an update to the original set of fingerprints included with p0f version 2.0.8. At this time, only the SYN fingerprint database (p0f.fp) has been updated.

Signature Coverage

As of version p0f.fp.2012032901, the following OSes and tools were added to the 2006 distribution

  • FreeBSD 7.x, 8.x, 9.x
  • iOS 3.x, 4.x, 5.x
  • Mac OSX 10.x
  • OpenSolaris
  • Linux
  • Sony PlayStation 3
  • Windows Vista, 7, 2008, 9 (Consumer Preview)
  • sinfp
  • nmap 5

Additionally, Linux distribution information was added to the original and new fingerprints. Annotation for the following distributions was added

  • CentOS 3.x, 4.x, 5.x, 6.x
  • Chromium 5.x
  • Fedora Core 3,4,5,6,7,8,9,10,11,12,13,14,15,16
  • Gentoo 10.x, 11.x
  • Knoppix 6.x
  • Mandrake/Mandriva 2008.x, 2009.x, 2010.x
  • OpenSuse 11.x, 12.x
  • Slackware 12.x, 13.x
  • Ubuntu 4,5,6,7,8,9,10,11.x

Installing and using the signatures

p0f can accept an alternate fingerprint database by using the “-f” command line option. The following example starts p0f, uses the “p0f.fp.newsig” SYN fingerprint database, on the PCAP file “test.pcap”

By default, p0f will also search for p0f.fp in the current directory (on Windows and Unix) and in “/etc/p0f” (on Unix). The provided signature files can be renamed and put into these directories to be used by default.


Signature File

Release Date

Diff from PreviousChanges

MD5 signature

p0f.fp.201203290103/29/20122012032901.diff3 updated, 6 new, 0 deletede8bcf8d01c343d5225392bbb868fa93a



2011100301.diff11 updated, 26 new, 0 deleted


Known Issues

The CERT p0f signature database is only compatible with p0f version 2.0.x implementations.


If you have bug reports, patches, feedback, or questions please send them to netsa-help@cert.org.