Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
September 16, 2021 20:31
October 25, 2023 16:07
September 30, 2021 08:22
November 8, 2019 17:54
July 1, 2023 10:14
July 4, 2023 09:38
July 2, 2023 19:30
January 4, 2022 14:02
July 4, 2023 10:36
September 27, 2022 04:34
October 27, 2021 14:32
November 11, 2018 18:08


Python rewrite of passive OS fingerprinting tool.

It currently supports fingerprinting by the following means:

  • DHCP
  • TCP
  • HTTP (User Agent and Server)
  • SMB (TCP and UDP)
  • SSL (JA3/JA3S)

This program was started back in 2004 and had a decent life as a windows program, doing passive OS fingerprinting for 10 years with regular updates, but it fell by the wayside. It has been a goal to get it back out here, written in something that I could share the code with others.

I am NOT a programmer, I hack code together, so this is what it is. Time permitting I'll continue to bring new modules into this that were in the windows version and more importantly update the fingerprint files.

interesting notes

Verified it appears to run fine on Risc V Architecture on the VisionFive 2 at least with no mods.

ssl - if you want more fingerprints

You'll need to download the json file if you want a decent DB of fingerprints, otherwise the xml version that is part of satori right now is primarily from

To download the ones do a ' --ja3update'. Though please be aware it is going to ignore the cert when it goes to download this, if you are not comfortable with that grab the file manually and drop it in the fingerprint directory.


os related

  • libpcap-dev

os related Armbian

  • python3-dev

python related

  • python3
  • pypacker*
  • pcapy* (Due to problems with pcapy I would recommend pcapyplus instead - depending on distro may need these installed prior:libpcap-dev, python3-dev; along with setuptools if using pip3 to install)
  • pcapyplus (same warnings as pcapy, but this seems to work with latest setuptools)
  • untangle*
  • requests* (new requirement for the SSL fingerprinting)


  • netifaces* (while not specifically needed saves some error messages at least on rasbianos)

*(if you use pip to install it, remember to use pip3)


periodically get the latest fingerprint files and any updates:

  • git pull


  • python3 -r [some pcap] -m [one of the modules]
  • python3 -i [some interface] -m [one of the modules]

modules feature is optional

I have added the ability to listen to live packets, but be aware, you are running as root typically to do this, use at own risk as mentioned before, I am by no means a programmer!


I'm only a novice working with graylog, but feeding satori logs into it is much faster for processing through them after the fact than grep!

You can do things like " NOT os_guess:* " to find devices that satori was unable to provide a guess at the OS.

The content pack currently contains about 5 rules to properly parse the data. It may not be ideal on how they are configured, I've spent a very limited amount of timing with graylog! It has worked well enough for what I've done in testing. nxlog would probably be a good way to inject them into graylog, but to date I've just used netcat and pushed them into a raw tcp listener!


This currently really is version 0.1 of this. Just to reiterate I am not a programmer, expecially in python, I just hack stuff together, so you have been warned. But with that said, seems stable at this point and I've been running it in production like systems since I put this out here!


Python rewrite of passive OS fingerprinting tool







No releases published


No packages published