p0f, and various reimplementation such as libp0f and dsniff, are passive operating system (OS) fingerprinting tools that attempt to determine the OS of a system based on the TCP traffic it generates – specifically SYN, SYN+ACK, and RST/RST+ACK packets. The technique relies on configuration differences of various network stack implementations.

The efficacy of p0f is dependent on an up-to-date signatures set.

The CERT p0f fingerprint database is an update to the original set of fingerprints included with p0f version 2.0.8. At this time, only the SYN fingerprint database (p0f.fp) has been updated.

Signature Coverage

As of version p0f.fp.2012032901, the following OSes and tools were added to the 2006 distribution:

  • FreeBSD 7.x, 8.x, 9.x
  • iOS 3.x, 4.x, 5.x
  • Mac OSX 10.x
  • OpenSolaris
  • Linux
  • Sony PlayStation 3
  • Windows Vista, 7, 2008, 9 (Consumer Preview)
  • sinfp
  • nmap 5

Additionally, Linux distribution information was added to the original and new fingerprints. Annotation for the following distributions was added:

  • CentOS 3.x, 4.x, 5.x, 6.x
  • Chromium 5.x
  • Fedora Core 3,4,5,6,7,8,9,10,11,12,13,14,15,16
  • Gentoo 10.x, 11.x
  • Knoppix 6.x
  • Mandrake/Mandriva 2008.x, 2009.x, 2010.x
  • OpenSuse 11.x, 12.x
  • Slackware 12.x, 13.x
  • Ubuntu 4,5,6,7,8,9,10,11.x

Installing and using the signatures

p0f can accept an alternate fingerprint database by using the “-f” command line option. The following example starts p0f, uses the “p0f.fp.newsig” SYN fingerprint database, on the PCAP file “test.pcap”

$ p0f -f p0f.fp.newsig -s test.pcap

By default, p0f will also search for p0f.fp in the current directory (on Windows and Unix) and in “/etc/p0f” (on Unix). The provided signature files can be renamed and put into these directories to be used by default.

Known Issues

The CERT p0f signature database is only compatible with p0f version 2.0.x implementations.