The following steps will help you to perform passive OS identification using the p0f command:

1. If you execute the p0f command directly from the command line without any prior environmental setup, you will notice that it will not provide much information unless you are directly interacting with some of the systems on your network:

2. This lack of information is evidence of the fact that unlike the other tools we have discussed, p0f will not go out and actively probe devices in an attempt to determine their operating system. Instead, it just quietly listens.
3. We could generate traffic here by running an Nmap scan in a separate Terminal, but that defeats the entire purpose of a passive operating system identifier. Instead, we need to determine a way to route traffic through our local interface for analysis so that we can passively analyze it.
4. Ettercap provides an excellent solution for this by offering the capability to poison ARP caches and create a man-in-the-middle (MITM) scenario. To have the traffic traveling between two systems rerouted through your local interface, you need to ARP poison both of those systems:

5. In the example provided, the ettercap command is executed at the command line. The -M option defines the mode specified by the arp:remote arguments. This indicates that ARP poisoning will be performed and that traffic from remote systems will be sniffed. The IP addresses contained within the opening and closing forward slashes indicate the systems to be poisoned. The -T option indicates that operations will be conducted entirely in the text interface, and the -w option is used to designate the file to dump the traffic capture.

6. Once you have established your MITM, you can execute p0f once again in a separate Terminal. Assuming the two poisoned hosts are engaged in communication, you should see the following traffic:

7. All packets that cross the p0f listener are flagged as either unknown or are associated with a specific operating system signature. Once adequate analysis has been performed, you should gracefully close the Ettercap text interface by entering q. This will re-ARP the victims so that no disruption of service occurs: