Which tool is described as a free passive OS fingerprinting tool that focuses on TCP SYN packets?

Understanding passive OS fingerprinting and why p0f fits this role helps explain the answer. Passive OS fingerprinting means figuring out the operating system by observing traffic rather than sending probes. p0f is a free tool designed specifically for this approach. It watches network packets—particularly TCP SYN traffic—and uses characteristics like TTL, initial window size, TCP options, and how sequence numbers behave to compare against a database of known OS fingerprints. Since it doesn’t generate its own probes, it doesn’t actively touch the target, which is the essence of being passive. The other tools don’t fit as neatly. Nmap is an active scanner that sends crafted packets to elicit responses in order to infer the OS. Wireshark is a packet analyzer used to capture and inspect traffic; it can aid in understanding traffic patterns, but it doesn’t perform automated OS fingerprinting by itself. Metasploit is a penetration testing framework with various modules, including some discovery techniques, but it isn’t a dedicated free passive OS fingerprinting tool focused on TCP SYN analysis.