13b3a8eb9SGleb Smirnoff.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ 23b3a8eb9SGleb Smirnoff.\" 33b3a8eb9SGleb Smirnoff.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 43b3a8eb9SGleb Smirnoff.\" 53b3a8eb9SGleb Smirnoff.\" Permission to use, copy, modify, and distribute this software for any 63b3a8eb9SGleb Smirnoff.\" purpose with or without fee is hereby granted, provided that the above 73b3a8eb9SGleb Smirnoff.\" copyright notice and this permission notice appear in all copies. 83b3a8eb9SGleb Smirnoff.\" 93b3a8eb9SGleb Smirnoff.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 103b3a8eb9SGleb Smirnoff.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 113b3a8eb9SGleb Smirnoff.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 123b3a8eb9SGleb Smirnoff.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 133b3a8eb9SGleb Smirnoff.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 143b3a8eb9SGleb Smirnoff.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 153b3a8eb9SGleb Smirnoff.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 163b3a8eb9SGleb Smirnoff.\" 17*67304db7SChristian Brueffer.Dd May 31, 2007 183b3a8eb9SGleb Smirnoff.Dt PF.OS 5 193b3a8eb9SGleb Smirnoff.Os 203b3a8eb9SGleb Smirnoff.Sh NAME 213b3a8eb9SGleb Smirnoff.Nm pf.os 223b3a8eb9SGleb Smirnoff.Nd format of the operating system fingerprints file 233b3a8eb9SGleb Smirnoff.Sh DESCRIPTION 243b3a8eb9SGleb SmirnoffThe 253b3a8eb9SGleb Smirnoff.Xr pf 4 263b3a8eb9SGleb Smirnofffirewall and the 273b3a8eb9SGleb Smirnoff.Xr tcpdump 1 283b3a8eb9SGleb Smirnoffprogram can both fingerprint the operating system of hosts that 293b3a8eb9SGleb Smirnofforiginate an IPv4 TCP connection. 303b3a8eb9SGleb SmirnoffThe file consists of newline-separated records, one per fingerprint, 313b3a8eb9SGleb Smirnoffcontaining nine colon 323b3a8eb9SGleb Smirnoff.Pq Ql \&: 333b3a8eb9SGleb Smirnoffseparated fields. 343b3a8eb9SGleb SmirnoffThese fields are as follows: 353b3a8eb9SGleb Smirnoff.Pp 363b3a8eb9SGleb Smirnoff.Bl -tag -width Description -offset indent -compact 373b3a8eb9SGleb Smirnoff.It window 383b3a8eb9SGleb SmirnoffThe TCP window size. 393b3a8eb9SGleb Smirnoff.It TTL 403b3a8eb9SGleb SmirnoffThe IP time to live. 413b3a8eb9SGleb Smirnoff.It df 423b3a8eb9SGleb SmirnoffThe presence of the IPv4 don't fragment bit. 433b3a8eb9SGleb Smirnoff.It packet size 443b3a8eb9SGleb SmirnoffThe size of the initial TCP packet. 453b3a8eb9SGleb Smirnoff.It TCP options 463b3a8eb9SGleb SmirnoffAn ordered list of the TCP options. 473b3a8eb9SGleb Smirnoff.It class 483b3a8eb9SGleb SmirnoffThe class of operating system. 493b3a8eb9SGleb Smirnoff.It version 503b3a8eb9SGleb SmirnoffThe version of the operating system. 513b3a8eb9SGleb Smirnoff.It subtype 523b3a8eb9SGleb SmirnoffThe subtype of patchlevel of the operating system. 533b3a8eb9SGleb Smirnoff.It description 543b3a8eb9SGleb SmirnoffThe overall textual description of the operating system, version and subtype. 553b3a8eb9SGleb Smirnoff.El 563b3a8eb9SGleb Smirnoff.Pp 573b3a8eb9SGleb SmirnoffThe 583b3a8eb9SGleb Smirnoff.Ar window 593b3a8eb9SGleb Smirnofffield corresponds to the th->th_win field in the TCP header and is the 603b3a8eb9SGleb Smirnoffsource host's advertised TCP window size. 613b3a8eb9SGleb SmirnoffIt may be between zero and 65,535 inclusive. 623b3a8eb9SGleb SmirnoffThe window size may be given as a multiple of a constant by prepending 633b3a8eb9SGleb Smirnoffthe size with a percent sign 643b3a8eb9SGleb Smirnoff.Sq % 653b3a8eb9SGleb Smirnoffand the value will be used as a modulus. 663b3a8eb9SGleb SmirnoffThree special values may be used for the window size: 673b3a8eb9SGleb Smirnoff.Pp 683b3a8eb9SGleb Smirnoff.Bl -tag -width xxx -offset indent -compact 693b3a8eb9SGleb Smirnoff.It * 703b3a8eb9SGleb SmirnoffAn asterisk will wildcard the value so any window size will match. 713b3a8eb9SGleb Smirnoff.It S 723b3a8eb9SGleb SmirnoffAllow any window size which is a multiple of the maximum segment size (MSS). 733b3a8eb9SGleb Smirnoff.It T 743b3a8eb9SGleb SmirnoffAllow any window size which is a multiple of the maximum transmission unit 753b3a8eb9SGleb Smirnoff(MTU). 763b3a8eb9SGleb Smirnoff.El 773b3a8eb9SGleb Smirnoff.Pp 783b3a8eb9SGleb SmirnoffThe 793b3a8eb9SGleb Smirnoff.Ar ttl 803b3a8eb9SGleb Smirnoffvalue is the initial time to live in the IP header. 813b3a8eb9SGleb SmirnoffThe fingerprint code will account for the volatility of the packet's TTL 823b3a8eb9SGleb Smirnoffas it traverses a network. 833b3a8eb9SGleb Smirnoff.Pp 843b3a8eb9SGleb SmirnoffThe 853b3a8eb9SGleb Smirnoff.Ar df 863b3a8eb9SGleb Smirnoffbit corresponds to the Don't Fragment bit in an IPv4 header. 873b3a8eb9SGleb SmirnoffIt tells intermediate routers not to fragment the packet and is used for 883b3a8eb9SGleb Smirnoffpath MTU discovery. 893b3a8eb9SGleb SmirnoffIt may be either a zero or a one. 903b3a8eb9SGleb Smirnoff.Pp 913b3a8eb9SGleb SmirnoffThe 923b3a8eb9SGleb Smirnoff.Ar packet size 933b3a8eb9SGleb Smirnoffis the literal size of the full IP packet and is a function of all of 943b3a8eb9SGleb Smirnoffthe IP and TCP options. 953b3a8eb9SGleb Smirnoff.Pp 963b3a8eb9SGleb SmirnoffThe 973b3a8eb9SGleb Smirnoff.Ar TCP options 983b3a8eb9SGleb Smirnofffield is an ordered list of the individual TCP options that appear in the 993b3a8eb9SGleb SmirnoffSYN packet. 1003b3a8eb9SGleb SmirnoffEach option is described by a single character separated by a comma and 1013b3a8eb9SGleb Smirnoffcertain ones may include a value. 1023b3a8eb9SGleb SmirnoffThe options are: 1033b3a8eb9SGleb Smirnoff.Pp 1043b3a8eb9SGleb Smirnoff.Bl -tag -width Description -offset indent -compact 1053b3a8eb9SGleb Smirnoff.It Mnnn 1063b3a8eb9SGleb Smirnoffmaximum segment size (MSS) option. 1073b3a8eb9SGleb SmirnoffThe value is the maximum packet size of the network link which may 1083b3a8eb9SGleb Smirnoffinclude the 1093b3a8eb9SGleb Smirnoff.Sq % 1103b3a8eb9SGleb Smirnoffmodulus or match all MSSes with the 1113b3a8eb9SGleb Smirnoff.Sq * 1123b3a8eb9SGleb Smirnoffvalue. 1133b3a8eb9SGleb Smirnoff.It N 1143b3a8eb9SGleb Smirnoffthe NOP option (NO Operation). 1153b3a8eb9SGleb Smirnoff.It T[0] 1163b3a8eb9SGleb Smirnoffthe timestamp option. 1173b3a8eb9SGleb SmirnoffCertain operating systems always start with a zero timestamp in which 1183b3a8eb9SGleb Smirnoffcase a zero value is added to the option; otherwise no value is appended. 1193b3a8eb9SGleb Smirnoff.It S 1203b3a8eb9SGleb Smirnoffthe Selective ACKnowledgement OK (SACKOK) option. 1213b3a8eb9SGleb Smirnoff.It Wnnn 1223b3a8eb9SGleb Smirnoffwindow scaling option. 1233b3a8eb9SGleb SmirnoffThe value is the size of the window scaling which may include the 1243b3a8eb9SGleb Smirnoff.Sq % 1253b3a8eb9SGleb Smirnoffmodulus or match all window scalings with the 1263b3a8eb9SGleb Smirnoff.Sq * 1273b3a8eb9SGleb Smirnoffvalue. 1283b3a8eb9SGleb Smirnoff.El 1293b3a8eb9SGleb Smirnoff.Pp 1303b3a8eb9SGleb SmirnoffNo TCP options in the fingerprint may be given with a single dot 1313b3a8eb9SGleb Smirnoff.Sq \&. . 1323b3a8eb9SGleb Smirnoff.Pp 1333b3a8eb9SGleb SmirnoffAn example of OpenBSD's TCP options are: 1343b3a8eb9SGleb Smirnoff.Pp 1353b3a8eb9SGleb Smirnoff.Dl M*,N,N,S,N,W0,N,N,T 1363b3a8eb9SGleb Smirnoff.Pp 1373b3a8eb9SGleb SmirnoffThe first option 1383b3a8eb9SGleb Smirnoff.Ar M* 1393b3a8eb9SGleb Smirnoffis the MSS option and will match all values. 1403b3a8eb9SGleb SmirnoffThe second and third options 1413b3a8eb9SGleb Smirnoff.Ar N 1423b3a8eb9SGleb Smirnoffwill match two NOPs. 1433b3a8eb9SGleb SmirnoffThe fourth option 1443b3a8eb9SGleb Smirnoff.Ar S 1453b3a8eb9SGleb Smirnoffwill match the SACKOK option. 1463b3a8eb9SGleb SmirnoffThe fifth 1473b3a8eb9SGleb Smirnoff.Ar N 1483b3a8eb9SGleb Smirnoffwill match another NOP. 1493b3a8eb9SGleb SmirnoffThe sixth 1503b3a8eb9SGleb Smirnoff.Ar W0 1513b3a8eb9SGleb Smirnoffwill match a window scaling option with a zero scaling size. 1523b3a8eb9SGleb SmirnoffThe seventh and eighth 1533b3a8eb9SGleb Smirnoff.Ar N 1543b3a8eb9SGleb Smirnoffoptions will match two NOPs. 1553b3a8eb9SGleb SmirnoffAnd the ninth and final option 1563b3a8eb9SGleb Smirnoff.Ar T 1573b3a8eb9SGleb Smirnoffwill match the timestamp option with any time value. 1583b3a8eb9SGleb Smirnoff.Pp 1593b3a8eb9SGleb SmirnoffThe TCP options in a fingerprint will only match packets with the 1603b3a8eb9SGleb Smirnoffexact same TCP options in the same order. 1613b3a8eb9SGleb Smirnoff.Pp 1623b3a8eb9SGleb SmirnoffThe 1633b3a8eb9SGleb Smirnoff.Ar class 1643b3a8eb9SGleb Smirnofffield is the class, genre or vendor of the operating system. 1653b3a8eb9SGleb Smirnoff.Pp 1663b3a8eb9SGleb SmirnoffThe 1673b3a8eb9SGleb Smirnoff.Ar version 1683b3a8eb9SGleb Smirnoffis the version of the operating system. 1693b3a8eb9SGleb SmirnoffIt is used to distinguish between different fingerprints of operating 1703b3a8eb9SGleb Smirnoffsystems of the same class but different versions. 1713b3a8eb9SGleb Smirnoff.Pp 1723b3a8eb9SGleb SmirnoffThe 1733b3a8eb9SGleb Smirnoff.Ar subtype 1743b3a8eb9SGleb Smirnoffis the subtype or patch level of the operating system version. 1753b3a8eb9SGleb SmirnoffIt is used to distinguish between different fingerprints of operating 1763b3a8eb9SGleb Smirnoffsystems of the same class and same version but slightly different 1773b3a8eb9SGleb Smirnoffpatches or tweaking. 1783b3a8eb9SGleb Smirnoff.Pp 1793b3a8eb9SGleb SmirnoffThe 1803b3a8eb9SGleb Smirnoff.Ar description 1813b3a8eb9SGleb Smirnoffis a general description of the operating system, its version, 1823b3a8eb9SGleb Smirnoffpatchlevel and any further useful details. 1833b3a8eb9SGleb Smirnoff.Sh EXAMPLES 1843b3a8eb9SGleb SmirnoffThe fingerprint of a plain 1853b3a8eb9SGleb Smirnoff.Ox 3.3 1863b3a8eb9SGleb Smirnoffhost is: 1873b3a8eb9SGleb Smirnoff.Bd -literal 1883b3a8eb9SGleb Smirnoff 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 1893b3a8eb9SGleb Smirnoff.Ed 1903b3a8eb9SGleb Smirnoff.Pp 1913b3a8eb9SGleb SmirnoffThe fingerprint of an 1923b3a8eb9SGleb Smirnoff.Ox 3.3 1933b3a8eb9SGleb Smirnoffhost behind a PF scrubbing firewall with a no-df rule would be: 1943b3a8eb9SGleb Smirnoff.Bd -literal 1953b3a8eb9SGleb Smirnoff 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df 1963b3a8eb9SGleb Smirnoff.Ed 1973b3a8eb9SGleb Smirnoff.Pp 1983b3a8eb9SGleb SmirnoffAn absolutely braindead embedded operating system fingerprint could be: 1993b3a8eb9SGleb Smirnoff.Bd -literal 2003b3a8eb9SGleb Smirnoff 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3 2013b3a8eb9SGleb Smirnoff.Ed 2023b3a8eb9SGleb Smirnoff.Pp 2033b3a8eb9SGleb SmirnoffThe 2043b3a8eb9SGleb Smirnoff.Xr tcpdump 1 2053b3a8eb9SGleb Smirnoffoutput of 2063b3a8eb9SGleb Smirnoff.Bd -literal 2073b3a8eb9SGleb Smirnoff # tcpdump -s128 -c1 -nv 'tcp[13] == 2' 2083b3a8eb9SGleb Smirnoff 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e 2093b3a8eb9SGleb Smirnoff 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e 2103b3a8eb9SGleb Smirnoff (ttl 64, id 11315, len 44) 2113b3a8eb9SGleb Smirnoff.Ed 2123b3a8eb9SGleb Smirnoff.Pp 2133b3a8eb9SGleb Smirnoffalmost translates into the following fingerprint 2143b3a8eb9SGleb Smirnoff.Bd -literal 2153b3a8eb9SGleb Smirnoff 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0 2163b3a8eb9SGleb Smirnoff.Ed 2173b3a8eb9SGleb Smirnoff.Sh SEE ALSO 218*67304db7SChristian Brueffer.Xr tcpdump 1 , 2193b3a8eb9SGleb Smirnoff.Xr pf 4 , 2203b3a8eb9SGleb Smirnoff.Xr pf.conf 5 , 221*67304db7SChristian Brueffer.Xr pfctl 8 222