Nisitay
pyp0f
Python

p0f v3 with impersonation spoofing, written in Python - Accurately guess the OS of a packet with passive fingerprinting.

Last updated May 21, 2026
72
Stars
10
Forks
0
Issues
0
Stars/day
Attention Score
1
Language breakdown
Python 99.8%
Shell 0.2%
โ–ธ Files click to expand
README

pyp0f

Native implementation of p0f v3 in typed Python 3.


Documentation: https://github.com/Nisitay/pyp0f/blob/master/docs/README.md

Source Code: https://github.com/Nisitay/pyp0f


pyp0f is able to accurately guess the source OS or user application of a given packet with passive fingerprinting, as well as impersonate packets so that p0f will think it has been sent by a specific OS.

Motivation

  • pyp0f is platform independent (using Scapy), while p0f can be cumbersome to run on some platforms (such as Windows).
  • The implementation and concepts behind p0f are very sophisticated, but the tool is written in C which makes it harder to understand and extend. Performance is expected to be slower in Python, but pyp0f still performs well enough (see Performance benchmarks)
  • p0f heavily depends on full packet flow details, while pyp0f attempts to use as little information as possible. For example, you may be able to fingerprint a SYN+ACK packet from a session without having the matching SYN packet.
  • pyp0f aims to be highly configurable and used as a library, without limiting its effectiveness to one packet format/library, as opposed to p0f which runs on a seperate process and you query the results using an API.

Installation

$ pip install pyp0f

Features

  • Full p0f fingerprinting (MTU, TCP, HTTP)
  • p0f spoofing - impersonation (MTU, TCP)
  • TCP timestamps uptime detection

In Progress

  • Flow tracking
  • NAT detection

Getting Started

from scapy.layers.inet import IP, TCP
from pyp0f.database import DATABASE
from pyp0f.fingerprint import fingerprintmtu, fingerprinttcp, fingerprint_http
from pyp0f.fingerprint.results import MTUResult, TCPResult, HTTPResult

DATABASE.load() # Load the fingerprints database

MTU Fingerprinting

google_packet = IP() / TCP(options=[("MSS", 1430)]) mturesult: MTUResult = fingerprintmtu(google_packet)

TCP Fingerprinting

linux_packet = IP(tos=0x10, flags=0x02, ttl=58) / TCP( seq=1, window=29200, options=[("MSS", 1460), ("SAckOK", b""), ("Timestamp", (177816630, 0)), ("NOP", None), ("WScale", 7)], ) tcpresult: TCPResult = fingerprinttcp(linux_packet)

HTTP Fingerprinting

apache_payload = b"HTTP/1.1 200 OK\r\nDate: Fri, 10 Jun 2011 13:27:01 GMT\r\nServer: Apache\r\nLast-Modified: Thu, 09 Jun 2011 17:25:43 GMT\r\nExpires: Mon, 13 Jun 2011 17:25:43 GMT\r\nETag: 963D6BC0ED128283945AF1FB57899C9F3ABF50B3\r\nCache-Control: max-age=272921,public,no-transform,must-revalidate\r\nContent-Length: 491\r\nConnection: close\r\nContent-Type: application/ocsp-response\r\n\r\n" httpresult: HTTPResult = fingerprinthttp(apache_payload)

Sources

Authors

ยฉ 2026 GitRepoTrend ยท Nisitay/pyp0f ยท Updated daily from GitHub