Passive Traffic Fingerprinting - p0f




P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).



Features

p0f can identify the system on:

ºmachines that connect to your box (SYN mode)
ºmachines you connect to (SYN+ACK mode)
ºmachines you cannot connect to (RST+ mode)
ºmachines that talk through or near your box

But checking the system is not all p0f can do, p0f will also check the following:

ºmasquerading and firewall presence (useful for policy enforcement)
ºthe distance to the remote system and its uptime
ºother guys’ network hookup (DSL, OC3, avian carriers) and his ISP

Passive Traffic Fingerprinting:

ºHighly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.

ºMeasurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.

ºAutomated detection of connection sharing / NAT, load balancing, and application-level proxying setups.

ºDetection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.


The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.

Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.


In one form or another, earlier versions of p0f are used in a wide variety of projects, including  pfsense,  Ettercap,  PRADS,  amavisd, milter, postgrey, fwknop,Satori, the OpenBSD firewall, and an assortment of commercial tools.