1*3b3a8eb9SGleb Smirnoff.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ 2*3b3a8eb9SGleb Smirnoff.\" 3*3b3a8eb9SGleb Smirnoff.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 4*3b3a8eb9SGleb Smirnoff.\" 5*3b3a8eb9SGleb Smirnoff.\" Permission to use, copy, modify, and distribute this software for any 6*3b3a8eb9SGleb Smirnoff.\" purpose with or without fee is hereby granted, provided that the above 7*3b3a8eb9SGleb Smirnoff.\" copyright notice and this permission notice appear in all copies. 8*3b3a8eb9SGleb Smirnoff.\" 9*3b3a8eb9SGleb Smirnoff.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10*3b3a8eb9SGleb Smirnoff.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11*3b3a8eb9SGleb Smirnoff.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12*3b3a8eb9SGleb Smirnoff.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13*3b3a8eb9SGleb Smirnoff.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14*3b3a8eb9SGleb Smirnoff.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15*3b3a8eb9SGleb Smirnoff.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16*3b3a8eb9SGleb Smirnoff.\" 17*3b3a8eb9SGleb Smirnoff.\" $FreeBSD$ 18*3b3a8eb9SGleb Smirnoff.\" 19*3b3a8eb9SGleb Smirnoff.Dd May 31 2007 20*3b3a8eb9SGleb Smirnoff.Dt PF.OS 5 21*3b3a8eb9SGleb Smirnoff.Os 22*3b3a8eb9SGleb Smirnoff.Sh NAME 23*3b3a8eb9SGleb Smirnoff.Nm pf.os 24*3b3a8eb9SGleb Smirnoff.Nd format of the operating system fingerprints file 25*3b3a8eb9SGleb Smirnoff.Sh DESCRIPTION 26*3b3a8eb9SGleb SmirnoffThe 27*3b3a8eb9SGleb Smirnoff.Xr pf 4 28*3b3a8eb9SGleb Smirnofffirewall and the 29*3b3a8eb9SGleb Smirnoff.Xr tcpdump 1 30*3b3a8eb9SGleb Smirnoffprogram can both fingerprint the operating system of hosts that 31*3b3a8eb9SGleb Smirnofforiginate an IPv4 TCP connection. 32*3b3a8eb9SGleb SmirnoffThe file consists of newline-separated records, one per fingerprint, 33*3b3a8eb9SGleb Smirnoffcontaining nine colon 34*3b3a8eb9SGleb Smirnoff.Pq Ql \&: 35*3b3a8eb9SGleb Smirnoffseparated fields. 36*3b3a8eb9SGleb SmirnoffThese fields are as follows: 37*3b3a8eb9SGleb Smirnoff.Pp 38*3b3a8eb9SGleb Smirnoff.Bl -tag -width Description -offset indent -compact 39*3b3a8eb9SGleb Smirnoff.It window 40*3b3a8eb9SGleb SmirnoffThe TCP window size. 41*3b3a8eb9SGleb Smirnoff.It TTL 42*3b3a8eb9SGleb SmirnoffThe IP time to live. 43*3b3a8eb9SGleb Smirnoff.It df 44*3b3a8eb9SGleb SmirnoffThe presence of the IPv4 don't fragment bit. 45*3b3a8eb9SGleb Smirnoff.It packet size 46*3b3a8eb9SGleb SmirnoffThe size of the initial TCP packet. 47*3b3a8eb9SGleb Smirnoff.It TCP options 48*3b3a8eb9SGleb SmirnoffAn ordered list of the TCP options. 49*3b3a8eb9SGleb Smirnoff.It class 50*3b3a8eb9SGleb SmirnoffThe class of operating system. 51*3b3a8eb9SGleb Smirnoff.It version 52*3b3a8eb9SGleb SmirnoffThe version of the operating system. 53*3b3a8eb9SGleb Smirnoff.It subtype 54*3b3a8eb9SGleb SmirnoffThe subtype of patchlevel of the operating system. 55*3b3a8eb9SGleb Smirnoff.It description 56*3b3a8eb9SGleb SmirnoffThe overall textual description of the operating system, version and subtype. 57*3b3a8eb9SGleb Smirnoff.El 58*3b3a8eb9SGleb Smirnoff.Pp 59*3b3a8eb9SGleb SmirnoffThe 60*3b3a8eb9SGleb Smirnoff.Ar window 61*3b3a8eb9SGleb Smirnofffield corresponds to the th->th_win field in the TCP header and is the 62*3b3a8eb9SGleb Smirnoffsource host's advertised TCP window size. 63*3b3a8eb9SGleb SmirnoffIt may be between zero and 65,535 inclusive. 64*3b3a8eb9SGleb SmirnoffThe window size may be given as a multiple of a constant by prepending 65*3b3a8eb9SGleb Smirnoffthe size with a percent sign 66*3b3a8eb9SGleb Smirnoff.Sq % 67*3b3a8eb9SGleb Smirnoffand the value will be used as a modulus. 68*3b3a8eb9SGleb SmirnoffThree special values may be used for the window size: 69*3b3a8eb9SGleb Smirnoff.Pp 70*3b3a8eb9SGleb Smirnoff.Bl -tag -width xxx -offset indent -compact 71*3b3a8eb9SGleb Smirnoff.It * 72*3b3a8eb9SGleb SmirnoffAn asterisk will wildcard the value so any window size will match. 73*3b3a8eb9SGleb Smirnoff.It S 74*3b3a8eb9SGleb SmirnoffAllow any window size which is a multiple of the maximum segment size (MSS). 75*3b3a8eb9SGleb Smirnoff.It T 76*3b3a8eb9SGleb SmirnoffAllow any window size which is a multiple of the maximum transmission unit 77*3b3a8eb9SGleb Smirnoff(MTU). 78*3b3a8eb9SGleb Smirnoff.El 79*3b3a8eb9SGleb Smirnoff.Pp 80*3b3a8eb9SGleb SmirnoffThe 81*3b3a8eb9SGleb Smirnoff.Ar ttl 82*3b3a8eb9SGleb Smirnoffvalue is the initial time to live in the IP header. 83*3b3a8eb9SGleb SmirnoffThe fingerprint code will account for the volatility of the packet's TTL 84*3b3a8eb9SGleb Smirnoffas it traverses a network. 85*3b3a8eb9SGleb Smirnoff.Pp 86*3b3a8eb9SGleb SmirnoffThe 87*3b3a8eb9SGleb Smirnoff.Ar df 88*3b3a8eb9SGleb Smirnoffbit corresponds to the Don't Fragment bit in an IPv4 header. 89*3b3a8eb9SGleb SmirnoffIt tells intermediate routers not to fragment the packet and is used for 90*3b3a8eb9SGleb Smirnoffpath MTU discovery. 91*3b3a8eb9SGleb SmirnoffIt may be either a zero or a one. 92*3b3a8eb9SGleb Smirnoff.Pp 93*3b3a8eb9SGleb SmirnoffThe 94*3b3a8eb9SGleb Smirnoff.Ar packet size 95*3b3a8eb9SGleb Smirnoffis the literal size of the full IP packet and is a function of all of 96*3b3a8eb9SGleb Smirnoffthe IP and TCP options. 97*3b3a8eb9SGleb Smirnoff.Pp 98*3b3a8eb9SGleb SmirnoffThe 99*3b3a8eb9SGleb Smirnoff.Ar TCP options 100*3b3a8eb9SGleb Smirnofffield is an ordered list of the individual TCP options that appear in the 101*3b3a8eb9SGleb SmirnoffSYN packet. 102*3b3a8eb9SGleb SmirnoffEach option is described by a single character separated by a comma and 103*3b3a8eb9SGleb Smirnoffcertain ones may include a value. 104*3b3a8eb9SGleb SmirnoffThe options are: 105*3b3a8eb9SGleb Smirnoff.Pp 106*3b3a8eb9SGleb Smirnoff.Bl -tag -width Description -offset indent -compact 107*3b3a8eb9SGleb Smirnoff.It Mnnn 108*3b3a8eb9SGleb Smirnoffmaximum segment size (MSS) option. 109*3b3a8eb9SGleb SmirnoffThe value is the maximum packet size of the network link which may 110*3b3a8eb9SGleb Smirnoffinclude the 111*3b3a8eb9SGleb Smirnoff.Sq % 112*3b3a8eb9SGleb Smirnoffmodulus or match all MSSes with the 113*3b3a8eb9SGleb Smirnoff.Sq * 114*3b3a8eb9SGleb Smirnoffvalue. 115*3b3a8eb9SGleb Smirnoff.It N 116*3b3a8eb9SGleb Smirnoffthe NOP option (NO Operation). 117*3b3a8eb9SGleb Smirnoff.It T[0] 118*3b3a8eb9SGleb Smirnoffthe timestamp option. 119*3b3a8eb9SGleb SmirnoffCertain operating systems always start with a zero timestamp in which 120*3b3a8eb9SGleb Smirnoffcase a zero value is added to the option; otherwise no value is appended. 121*3b3a8eb9SGleb Smirnoff.It S 122*3b3a8eb9SGleb Smirnoffthe Selective ACKnowledgement OK (SACKOK) option. 123*3b3a8eb9SGleb Smirnoff.It Wnnn 124*3b3a8eb9SGleb Smirnoffwindow scaling option. 125*3b3a8eb9SGleb SmirnoffThe value is the size of the window scaling which may include the 126*3b3a8eb9SGleb Smirnoff.Sq % 127*3b3a8eb9SGleb Smirnoffmodulus or match all window scalings with the 128*3b3a8eb9SGleb Smirnoff.Sq * 129*3b3a8eb9SGleb Smirnoffvalue. 130*3b3a8eb9SGleb Smirnoff.El 131*3b3a8eb9SGleb Smirnoff.Pp 132*3b3a8eb9SGleb SmirnoffNo TCP options in the fingerprint may be given with a single dot 133*3b3a8eb9SGleb Smirnoff.Sq \&. . 134*3b3a8eb9SGleb Smirnoff.Pp 135*3b3a8eb9SGleb SmirnoffAn example of OpenBSD's TCP options are: 136*3b3a8eb9SGleb Smirnoff.Pp 137*3b3a8eb9SGleb Smirnoff.Dl M*,N,N,S,N,W0,N,N,T 138*3b3a8eb9SGleb Smirnoff.Pp 139*3b3a8eb9SGleb SmirnoffThe first option 140*3b3a8eb9SGleb Smirnoff.Ar M* 141*3b3a8eb9SGleb Smirnoffis the MSS option and will match all values. 142*3b3a8eb9SGleb SmirnoffThe second and third options 143*3b3a8eb9SGleb Smirnoff.Ar N 144*3b3a8eb9SGleb Smirnoffwill match two NOPs. 145*3b3a8eb9SGleb SmirnoffThe fourth option 146*3b3a8eb9SGleb Smirnoff.Ar S 147*3b3a8eb9SGleb Smirnoffwill match the SACKOK option. 148*3b3a8eb9SGleb SmirnoffThe fifth 149*3b3a8eb9SGleb Smirnoff.Ar N 150*3b3a8eb9SGleb Smirnoffwill match another NOP. 151*3b3a8eb9SGleb SmirnoffThe sixth 152*3b3a8eb9SGleb Smirnoff.Ar W0 153*3b3a8eb9SGleb Smirnoffwill match a window scaling option with a zero scaling size. 154*3b3a8eb9SGleb SmirnoffThe seventh and eighth 155*3b3a8eb9SGleb Smirnoff.Ar N 156*3b3a8eb9SGleb Smirnoffoptions will match two NOPs. 157*3b3a8eb9SGleb SmirnoffAnd the ninth and final option 158*3b3a8eb9SGleb Smirnoff.Ar T 159*3b3a8eb9SGleb Smirnoffwill match the timestamp option with any time value. 160*3b3a8eb9SGleb Smirnoff.Pp 161*3b3a8eb9SGleb SmirnoffThe TCP options in a fingerprint will only match packets with the 162*3b3a8eb9SGleb Smirnoffexact same TCP options in the same order. 163*3b3a8eb9SGleb Smirnoff.Pp 164*3b3a8eb9SGleb SmirnoffThe 165*3b3a8eb9SGleb Smirnoff.Ar class 166*3b3a8eb9SGleb Smirnofffield is the class, genre or vendor of the operating system. 167*3b3a8eb9SGleb Smirnoff.Pp 168*3b3a8eb9SGleb SmirnoffThe 169*3b3a8eb9SGleb Smirnoff.Ar version 170*3b3a8eb9SGleb Smirnoffis the version of the operating system. 171*3b3a8eb9SGleb SmirnoffIt is used to distinguish between different fingerprints of operating 172*3b3a8eb9SGleb Smirnoffsystems of the same class but different versions. 173*3b3a8eb9SGleb Smirnoff.Pp 174*3b3a8eb9SGleb SmirnoffThe 175*3b3a8eb9SGleb Smirnoff.Ar subtype 176*3b3a8eb9SGleb Smirnoffis the subtype or patch level of the operating system version. 177*3b3a8eb9SGleb SmirnoffIt is used to distinguish between different fingerprints of operating 178*3b3a8eb9SGleb Smirnoffsystems of the same class and same version but slightly different 179*3b3a8eb9SGleb Smirnoffpatches or tweaking. 180*3b3a8eb9SGleb Smirnoff.Pp 181*3b3a8eb9SGleb SmirnoffThe 182*3b3a8eb9SGleb Smirnoff.Ar description 183*3b3a8eb9SGleb Smirnoffis a general description of the operating system, its version, 184*3b3a8eb9SGleb Smirnoffpatchlevel and any further useful details. 185*3b3a8eb9SGleb Smirnoff.Sh EXAMPLES 186*3b3a8eb9SGleb SmirnoffThe fingerprint of a plain 187*3b3a8eb9SGleb Smirnoff.Ox 3.3 188*3b3a8eb9SGleb Smirnoffhost is: 189*3b3a8eb9SGleb Smirnoff.Bd -literal 190*3b3a8eb9SGleb Smirnoff 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 191*3b3a8eb9SGleb Smirnoff.Ed 192*3b3a8eb9SGleb Smirnoff.Pp 193*3b3a8eb9SGleb SmirnoffThe fingerprint of an 194*3b3a8eb9SGleb Smirnoff.Ox 3.3 195*3b3a8eb9SGleb Smirnoffhost behind a PF scrubbing firewall with a no-df rule would be: 196*3b3a8eb9SGleb Smirnoff.Bd -literal 197*3b3a8eb9SGleb Smirnoff 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df 198*3b3a8eb9SGleb Smirnoff.Ed 199*3b3a8eb9SGleb Smirnoff.Pp 200*3b3a8eb9SGleb SmirnoffAn absolutely braindead embedded operating system fingerprint could be: 201*3b3a8eb9SGleb Smirnoff.Bd -literal 202*3b3a8eb9SGleb Smirnoff 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3 203*3b3a8eb9SGleb Smirnoff.Ed 204*3b3a8eb9SGleb Smirnoff.Pp 205*3b3a8eb9SGleb SmirnoffThe 206*3b3a8eb9SGleb Smirnoff.Xr tcpdump 1 207*3b3a8eb9SGleb Smirnoffoutput of 208*3b3a8eb9SGleb Smirnoff.Bd -literal 209*3b3a8eb9SGleb Smirnoff # tcpdump -s128 -c1 -nv 'tcp[13] == 2' 210*3b3a8eb9SGleb Smirnoff 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e 211*3b3a8eb9SGleb Smirnoff 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e 212*3b3a8eb9SGleb Smirnoff (ttl 64, id 11315, len 44) 213*3b3a8eb9SGleb Smirnoff.Ed 214*3b3a8eb9SGleb Smirnoff.Pp 215*3b3a8eb9SGleb Smirnoffalmost translates into the following fingerprint 216*3b3a8eb9SGleb Smirnoff.Bd -literal 217*3b3a8eb9SGleb Smirnoff 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0 218*3b3a8eb9SGleb Smirnoff.Ed 219*3b3a8eb9SGleb Smirnoff.Sh SEE ALSO 220*3b3a8eb9SGleb Smirnoff.Xr pf 4 , 221*3b3a8eb9SGleb Smirnoff.Xr pf.conf 5 , 222*3b3a8eb9SGleb Smirnoff.Xr pfctl 8 , 223*3b3a8eb9SGleb Smirnoff.Xr tcpdump 1 224