Passive OS Fingerprinting on Commodity Switches

Operating System (OS) fingerprinting allows network administrators to identify which operating systems are running on the hosts communicating over their network. This information is useful for detecting OS-specific vulnerabilities and for administering OS-related security policies that block, rate-limit, or redirect traffic. Passive fingerprinting can identify hosts’ OS types without active probes that introduce additional network load. However, existing software-based passive fingerprinting tools cannot keep up with the traffic in high-speed networks. This paper presents P40f, a tool that runs on programmable switch hardware to perform OS fingerprinting and apply security policies at line rate. Unlike p0f, P40f can fingerprint devices’ OS types and react to it (e.g., drop, rate-limit) in real time directly in the switch, without requiring any control-plane messages. P40f is a P4 implementation of an existing software tool, p0f. We present our prototype implemented with the P4 language, which compiles and runs on the Intel Tofino switch. We present experiments against packet traces from a real campus network, and make our code publicly available.