- Official Site: http://lcamtuf.coredump.cx/p0f.shtml
- 'p0f' is a passive network scanner, able to fingerprint an OS without ever sending a packet. See official site for more info.
- 'p0f' version 2.0.8 released on 2006-09-06, adds more signatures, 'p0fping', and some bugfixes.
Usage: p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock [ -0 ] ] [ -u user ] [ -FXVNDUKASCMROqtpvdlrx ] [ -c size ] [ -T nn ] [ -e nn ] [ 'filter rule' ] -f file - read fingerprints from file -i device - listen on this device -s file - read packets from tcpdump snapshot -o file - write to this logfile (implies -t) -w file - save packets to tcpdump snapshot -u user - chroot and setuid to this user -Q sock - listen on local socket for queries -0 - make src port 0 a wildcard (in query mode) -e ms - pcap capture timeout in milliseconds (default: 1) -c size - cache size for -Q and -M options -M - run masquerade detection -T nn - set masquerade detection threshold (1-200) -V - verbose masquerade flags reporting -F - use fuzzy matching (do not combine with -R) -N - do not report distances and link media -D - do not report OS details (just genre) -U - do not display unknown signatures -K - do not display known signatures (for tests) -S - report signatures even for known systems -A - go into SYN+ACK mode (semi-supported) -R - go into RST/RST+ACK mode (semi-supported) -O - go into stray ACK mode (barely supported) -r - resolve host names (not recommended) -q - be quiet - no banner -v - enable support for 802.1Q VLAN frames -p - switch card to promiscuous mode -d - daemon mode (fork into background) -l - use single-line output (easier to grep) -x - include full packet dump (for debugging) -X - display payload string (useful in RST mode) -C - run signature collision check -t - add timestamps to every entry 'Filter rule' is an optional pcap-style BPF expression (man tcpdump).