Test proxies with P0F passive OS fingerprinting. Detect TCP/IP stack signatures instantly.
Supported Formats:
HTTP/HTTPS:
SOCKS5:
P0F (Passive OS Fingerprinting) is an advanced network forensics tool that identifies the operating system and other characteristics of a remote host by analyzing TCP/IP packet headers—specifically focusing on TCP SYN packets during connection establishment—and TCP timestamp-derived hints such as system uptime.
Why "passive" means no IDS triggers: P0F doesn't send probe packets like Nmap or other active scanners. Instead, it analyzes traffic that the other host initiates when connecting to you (or traffic transiting through your monitoring point). This passive approach is crucial for stealth network monitoring, security research, and proxy verification without alerting intrusion detection systems.
Additionally, P0F performs distance estimation via TTL/Hop-Limit heuristics, calculating how many network hops separate you from the remote host. This forensics capability helps identify proxy chains, VPN endpoints, and network topology without active traceroute probing.
P0F shows the TCP/IP stack fingerprint of the proxy or NAT that creates the outbound TCP connection. This tells you whether your "residential" or "mobile" proxy is actually a Linux server behind carrier CGNAT, a cloud VM, or something else. Important: It does not reveal the original client device OS behind the proxy.
Treat P0F as a stack-type signal, not a definitive "mobile vs. desktop" verdict. Combine with carrier ASN checks, CGNAT patterns, TLS fingerprinting (JA3/JA4), and behavior analysis for better accuracy.
When you test a proxy with p0f, our server elicits a TCP connection from the proxy to us and fingerprints that SYN. The result describes the proxy/NAT's TCP/IP stack, not the original client behind it. Combine this with ASN/Geo, TLS (JA3/JA4), HTTP headers, and behavior. p0f is a signal, not a verdict.
The TCP/IP stack of the system that originated the SYN (often the proxy/exit). p0f reports categories (e.g., “Windows NT kernel”) rather than fine-grained versions for many stacks.
Approximate hop count via TTL/Hop-Limit heuristics.
p0f v3 SYN signature (e.g., 4:64:0:*:mss*10,6:mss,sok,ts,nop,ws:df,id+:0). Small changes in MSS, WSCALE, or option order can shift classification.
p0f v3 is from 2012; many distros ship ~320 SYN signatures. Coverage for newer OSes may be incomplete. Treat matches as heuristics and maintain your own allow/deny baselines.
“Mobile IP” ≠ “mobile TCP stack.” If the proxy terminates and re-originates TCP, its Linux stack will be fingerprinted even though the IP belongs to a carrier ASN. Judge mobile exits using ASN + CGNAT traits + performance, not OS alone.
NATs, VPN endpoints, load balancers, and traffic normalizers can adjust TTL or TCP options and change observed signatures; treat borderline matches cautiously.
Use JA4/JA4T (TLS and TCP) alongside p0f to spot intermediaries and standardize fingerprints across sessions.
P0F analyzes subtle variations in TCP/IP packet construction—particularly SYN packets during the TCP three-way handshake—to identify the sender's operating system and network stack. The tool extracts and compares these key fields against its signature database (typically containing 320-322 known OS fingerprints):
Real signature formats:
Source: Cloudflare Blog - TCP/IP fingerprinting documentation
| Method | Detection Type | Stealth | Accuracy |
|---|---|---|---|
| P0F | Passive OS Fingerprinting | ✓ High | ~ Medium-High* |
| Nmap (Active) | Active OS Detection | ✗ Low (detectable) | ✓ Very High |
| DNS Leak Test | DNS Query Analysis | ✓ High | ~ Medium |
| WebRTC Leak | Browser-based | ✓ High | ~ Medium |
*Database limitations: p0f v3 dates to 2012 and the commonly shipped signature sets are limited (~320 entries) and dated; coverage for newer OS versions may be incomplete. P0F results vary behind NAT, VPNs, proxies, and middleboxes. Use as a heuristic signal, not absolute truth.
Note on Nmap: Active OS detection (like Nmap's -O flag) can be more precise than p0f but sends probe packets that can be detected and filtered by IDS/IPS systems. P0F's passive approach avoids triggering security alerts.
Verify that your datacenter proxies don't leak OS signatures that differ from real users. Avoid detection by websites using advanced fingerprinting.
Test whether "mobile" proxies show mobile-like TCP characteristics or reveal Linux server infrastructure.Reality check: Many legitimate mobile proxies will fingerprint as Linux (the proxy host) even though the IP belongs to a carrier ASN. Only setups that originate TCP from an actual smartphone baseband—or intentionally spoof TCP parameters—will resemble iOS/Android at the TCP level.
Use P0F alongside carrier ASN checks, CGNAT patterns, TLS fingerprinting (JA3/JA4), and behavior analysis for comprehensive mobile proxy validation.
Validate residential proxies show diverse OS signatures matching home users, not datacenter infrastructure.
Important: If a residential proxy terminates and re-originates TCP, it will usually fingerprint as the proxy's OS (often Linux), not the home client.
Security professionals use P0F to audit proxy infrastructure and identify potential information leaks in corporate networks.
Explore comprehensive proxy testing and fingerprinting resources
P0F operates by capturing and analyzing SYN packets during TCP handshake establishment. The tool builds a unique signature from multiple TCP/IP header fields:
P0F maintains a signature database containing hundreds of OS fingerprints across various operating systems. Typical installations load approximately 320-322 signatures from the p0f.fp database file. Each signature represents a unique combination of TCP/IP stack characteristics:
| OS Family | Example Signature (p0f v3 format) | Key Identifiers |
|---|---|---|
| Linux | 4:64:0:*:mss*10,6:mss,sok,ts,nop,ws:df,id+:0 | IPv4, TTL=64, common Linux kernel pattern |
| Windows 7 | 4:128:0:*:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0 | IPv4, TTL=128, Win=8192, specific option order |
Source: Cloudflare Blog — TCP/IP Fingerprinting Documentation. Note: p0f v3 uses a compact signature format that varies from earlier versions.
P0F handles both IPv4 and IPv6, primarily analyzing TCP-level characteristics (SYN packets, options, window sizes) which remain similar across IP versions. The main differences:
Both versions rely heavily on TCP-level fingerprinting, making p0f effective regardless of IP version.
Security Operations Centers (SOCs) use P0F to detect unauthorized devices on corporate networks. By identifying unexpected OS signatures, analysts can spot:
E-commerce and financial platforms integrate P0F fingerprinting to identify automated traffic:
Understanding evasion techniques helps security professionals build better detection systems. This information is provided for defensive security research and authorized testing only.
Custom kernel patches can alter TCP/IP stack behavior to mimic different OS signatures. Requires deep system knowledge.
Middleboxes (NAT, firewalls, load balancers) and traffic normalizers can adjust TTL or TCP options, altering fingerprints. This can obscure the original client's TCP stack characteristics.
HTTP/SOCKS proxies that terminate and rebuild connections, presenting consistent signatures.
4:64:0:*:mss*10,6:mss,sok,ts,nop,ws:df,id+:0
Standard Linux TCP stack. Note: Many legitimate “mobile” proxies will show this signature even though the IP belongs to a carrier ASN, because the proxy server (Linux) originates TCP on behalf of the modem. Judge mobile exits using ASN + CGNAT traits + performance, not OS alone.
4:128:0:*:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0
Windows 7/10 signature. TTL of 128, window size 8192, specific option order. Common for home users and residential proxy pools. Acceptable for residential-grade infrastructure.
Source: Signature examples from Cloudflare Blog TCP/IP Fingerprinting documentation (p0f v3 format).
P0F alone isn't a definitive "residential" or "mobile" proxy truth oracle. Combine it with:
Many legitimate mobile proxies will fingerprint as Linux at the TCP level even though they use authentic carrier IPs. Why?
Middleboxes (NAT, firewalls, load balancers) and traffic normalizers can adjust TTL or TCP options, altering fingerprints:
💡 Treat borderline matches cautiously. These devices can obscure or replace the original client's TCP characteristics entirely.
Our tool displays the full P0F signature for power users:
64:64:1:60:M*,S,T,N,WThis shows: TTL:Window:Don't Fragment:MSS:TCP Options
Run P0F tests at different times and through different paths. Routing changes and proxy rotation can reveal different signatures.
Establish baseline signatures for known-good proxies in your pool. Compare new proxies against these verified baselines.
Remember P0F signature databases were last majorly updated around 2011-2016. Newer OS versions may not match precisely.
⚠️ Important: P0F requires access to network traffic to function. You must either: (1) Capture live traffic on a network interface with root/admin privileges, (2) Read from a pcap file, or (3) Have traffic transit through your monitoring point (like our online tool). P0F cannot "reach out" to test remote hosts—it only analyzes packets it sees.
# Capture and analyze traffic on interface eth0 (requires root):
sudo p0f -i eth0 -p -o /tmp/p0f.log# Read from pcap file:
p0f -r capture.pcap# API mode for programmatic access:
p0f -i eth0 -s /var/run/p0f.sock# Custom signature file:
p0f -i eth0 -f /etc/p0f/p0f.fp💡 Prefer our online tool? Use the tester above for instant results without local installation or root access.