P0F(1) P0F(1) NAME p0f - identify remote systems passively SYNOPSIS p0f [ -f file ] [ -i device ] [ -o file ] [ -s file ] [ -vKUtq ] [ 'filter rule' ] DESCRIPTION This manual page briefly documents the p0f command. p0f uses a fingerprinting technique based on information coming from remote host when it tries to establish a con- nection to your system. Captured packet parameters con- tain enough information to determine remote OS - and, unlike active scanners (nmap, queSO) - this is done with- out sending anything to this host. In short, there are certain TCP/IP flag settings specific for given systems. Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit), window scaling option (8 bits), initial packet size (16 bits) vary from one TCP stack implementation to another, and, combined together, give unique, 67-bit sig- nature for every system. OPTIONS -f file read fingerprint information from file -i device read packets from device -s file read packets from file -o file write output to file (best with -vt) -v verbose mode -U do not display unknown signatures -K do not display known signatures -t add timestamps -q quiet mode - do not display banners FILES /etc/p0f.fp default Operating System fingerprint file AUTHOR p0f was written by Michal Zalewski . This man page was written by William Stearns P0F(1)