13b3a8eb9SGleb Smirnoff.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ 23b3a8eb9SGleb Smirnoff.\" 33b3a8eb9SGleb Smirnoff.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 43b3a8eb9SGleb Smirnoff.\" 53b3a8eb9SGleb Smirnoff.\" Permission to use, copy, modify, and distribute this software for any 63b3a8eb9SGleb Smirnoff.\" purpose with or without fee is hereby granted, provided that the above 73b3a8eb9SGleb Smirnoff.\" copyright notice and this permission notice appear in all copies. 83b3a8eb9SGleb Smirnoff.\" 93b3a8eb9SGleb Smirnoff.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 103b3a8eb9SGleb Smirnoff.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 113b3a8eb9SGleb Smirnoff.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 123b3a8eb9SGleb Smirnoff.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 133b3a8eb9SGleb Smirnoff.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 143b3a8eb9SGleb Smirnoff.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 153b3a8eb9SGleb Smirnoff.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 163b3a8eb9SGleb Smirnoff.\" 173b3a8eb9SGleb Smirnoff.\" $FreeBSD$ 183b3a8eb9SGleb Smirnoff.\" 19*67304db7SChristian Brueffer.Dd May 31, 2007 203b3a8eb9SGleb Smirnoff.Dt PF.OS 5 213b3a8eb9SGleb Smirnoff.Os 223b3a8eb9SGleb Smirnoff.Sh NAME 233b3a8eb9SGleb Smirnoff.Nm pf.os 243b3a8eb9SGleb Smirnoff.Nd format of the operating system fingerprints file 253b3a8eb9SGleb Smirnoff.Sh DESCRIPTION 263b3a8eb9SGleb SmirnoffThe 273b3a8eb9SGleb Smirnoff.Xr pf 4 283b3a8eb9SGleb Smirnofffirewall and the 293b3a8eb9SGleb Smirnoff.Xr tcpdump 1 303b3a8eb9SGleb Smirnoffprogram can both fingerprint the operating system of hosts that 313b3a8eb9SGleb Smirnofforiginate an IPv4 TCP connection. 323b3a8eb9SGleb SmirnoffThe file consists of newline-separated records, one per fingerprint, 333b3a8eb9SGleb Smirnoffcontaining nine colon 343b3a8eb9SGleb Smirnoff.Pq Ql \&: 353b3a8eb9SGleb Smirnoffseparated fields. 363b3a8eb9SGleb SmirnoffThese fields are as follows: 373b3a8eb9SGleb Smirnoff.Pp 383b3a8eb9SGleb Smirnoff.Bl -tag -width Description -offset indent -compact 393b3a8eb9SGleb Smirnoff.It window 403b3a8eb9SGleb SmirnoffThe TCP window size. 413b3a8eb9SGleb Smirnoff.It TTL 423b3a8eb9SGleb SmirnoffThe IP time to live. 433b3a8eb9SGleb Smirnoff.It df 443b3a8eb9SGleb SmirnoffThe presence of the IPv4 don't fragment bit. 453b3a8eb9SGleb Smirnoff.It packet size 463b3a8eb9SGleb SmirnoffThe size of the initial TCP packet. 473b3a8eb9SGleb Smirnoff.It TCP options 483b3a8eb9SGleb SmirnoffAn ordered list of the TCP options. 493b3a8eb9SGleb Smirnoff.It class 503b3a8eb9SGleb SmirnoffThe class of operating system. 513b3a8eb9SGleb Smirnoff.It version 523b3a8eb9SGleb SmirnoffThe version of the operating system. 533b3a8eb9SGleb Smirnoff.It subtype 543b3a8eb9SGleb SmirnoffThe subtype of patchlevel of the operating system. 553b3a8eb9SGleb Smirnoff.It description 563b3a8eb9SGleb SmirnoffThe overall textual description of the operating system, version and subtype. 573b3a8eb9SGleb Smirnoff.El 583b3a8eb9SGleb Smirnoff.Pp 593b3a8eb9SGleb SmirnoffThe 603b3a8eb9SGleb Smirnoff.Ar window 613b3a8eb9SGleb Smirnofffield corresponds to the th->th_win field in the TCP header and is the 623b3a8eb9SGleb Smirnoffsource host's advertised TCP window size. 633b3a8eb9SGleb SmirnoffIt may be between zero and 65,535 inclusive. 643b3a8eb9SGleb SmirnoffThe window size may be given as a multiple of a constant by prepending 653b3a8eb9SGleb Smirnoffthe size with a percent sign 663b3a8eb9SGleb Smirnoff.Sq % 673b3a8eb9SGleb Smirnoffand the value will be used as a modulus. 683b3a8eb9SGleb SmirnoffThree special values may be used for the window size: 693b3a8eb9SGleb Smirnoff.Pp 703b3a8eb9SGleb Smirnoff.Bl -tag -width xxx -offset indent -compact 713b3a8eb9SGleb Smirnoff.It * 723b3a8eb9SGleb SmirnoffAn asterisk will wildcard the value so any window size will match. 733b3a8eb9SGleb Smirnoff.It S 743b3a8eb9SGleb SmirnoffAllow any window size which is a multiple of the maximum segment size (MSS). 753b3a8eb9SGleb Smirnoff.It T 763b3a8eb9SGleb SmirnoffAllow any window size which is a multiple of the maximum transmission unit 773b3a8eb9SGleb Smirnoff(MTU). 783b3a8eb9SGleb Smirnoff.El 793b3a8eb9SGleb Smirnoff.Pp 803b3a8eb9SGleb SmirnoffThe 813b3a8eb9SGleb Smirnoff.Ar ttl 823b3a8eb9SGleb Smirnoffvalue is the initial time to live in the IP header. 833b3a8eb9SGleb SmirnoffThe fingerprint code will account for the volatility of the packet's TTL 843b3a8eb9SGleb Smirnoffas it traverses a network. 853b3a8eb9SGleb Smirnoff.Pp 863b3a8eb9SGleb SmirnoffThe 873b3a8eb9SGleb Smirnoff.Ar df 883b3a8eb9SGleb Smirnoffbit corresponds to the Don't Fragment bit in an IPv4 header. 893b3a8eb9SGleb SmirnoffIt tells intermediate routers not to fragment the packet and is used for 903b3a8eb9SGleb Smirnoffpath MTU discovery. 913b3a8eb9SGleb SmirnoffIt may be either a zero or a one. 923b3a8eb9SGleb Smirnoff.Pp 933b3a8eb9SGleb SmirnoffThe 943b3a8eb9SGleb Smirnoff.Ar packet size 953b3a8eb9SGleb Smirnoffis the literal size of the full IP packet and is a function of all of 963b3a8eb9SGleb Smirnoffthe IP and TCP options. 973b3a8eb9SGleb Smirnoff.Pp 983b3a8eb9SGleb SmirnoffThe 993b3a8eb9SGleb Smirnoff.Ar TCP options 1003b3a8eb9SGleb Smirnofffield is an ordered list of the individual TCP options that appear in the 1013b3a8eb9SGleb SmirnoffSYN packet. 1023b3a8eb9SGleb SmirnoffEach option is described by a single character separated by a comma and 1033b3a8eb9SGleb Smirnoffcertain ones may include a value. 1043b3a8eb9SGleb SmirnoffThe options are: 1053b3a8eb9SGleb Smirnoff.Pp 1063b3a8eb9SGleb Smirnoff.Bl -tag -width Description -offset indent -compact 1073b3a8eb9SGleb Smirnoff.It Mnnn 1083b3a8eb9SGleb Smirnoffmaximum segment size (MSS) option. 1093b3a8eb9SGleb SmirnoffThe value is the maximum packet size of the network link which may 1103b3a8eb9SGleb Smirnoffinclude the 1113b3a8eb9SGleb Smirnoff.Sq % 1123b3a8eb9SGleb Smirnoffmodulus or match all MSSes with the 1133b3a8eb9SGleb Smirnoff.Sq * 1143b3a8eb9SGleb Smirnoffvalue. 1153b3a8eb9SGleb Smirnoff.It N 1163b3a8eb9SGleb Smirnoffthe NOP option (NO Operation). 1173b3a8eb9SGleb Smirnoff.It T[0] 1183b3a8eb9SGleb Smirnoffthe timestamp option. 1193b3a8eb9SGleb SmirnoffCertain operating systems always start with a zero timestamp in which 1203b3a8eb9SGleb Smirnoffcase a zero value is added to the option; otherwise no value is appended. 1213b3a8eb9SGleb Smirnoff.It S 1223b3a8eb9SGleb Smirnoffthe Selective ACKnowledgement OK (SACKOK) option. 1233b3a8eb9SGleb Smirnoff.It Wnnn 1243b3a8eb9SGleb Smirnoffwindow scaling option. 1253b3a8eb9SGleb SmirnoffThe value is the size of the window scaling which may include the 1263b3a8eb9SGleb Smirnoff.Sq % 1273b3a8eb9SGleb Smirnoffmodulus or match all window scalings with the 1283b3a8eb9SGleb Smirnoff.Sq * 1293b3a8eb9SGleb Smirnoffvalue. 1303b3a8eb9SGleb Smirnoff.El 1313b3a8eb9SGleb Smirnoff.Pp 1323b3a8eb9SGleb SmirnoffNo TCP options in the fingerprint may be given with a single dot 1333b3a8eb9SGleb Smirnoff.Sq \&. . 1343b3a8eb9SGleb Smirnoff.Pp 1353b3a8eb9SGleb SmirnoffAn example of OpenBSD's TCP options are: 1363b3a8eb9SGleb Smirnoff.Pp 1373b3a8eb9SGleb Smirnoff.Dl M*,N,N,S,N,W0,N,N,T 1383b3a8eb9SGleb Smirnoff.Pp 1393b3a8eb9SGleb SmirnoffThe first option 1403b3a8eb9SGleb Smirnoff.Ar M* 1413b3a8eb9SGleb Smirnoffis the MSS option and will match all values. 1423b3a8eb9SGleb SmirnoffThe second and third options 1433b3a8eb9SGleb Smirnoff.Ar N 1443b3a8eb9SGleb Smirnoffwill match two NOPs. 1453b3a8eb9SGleb SmirnoffThe fourth option 1463b3a8eb9SGleb Smirnoff.Ar S 1473b3a8eb9SGleb Smirnoffwill match the SACKOK option. 1483b3a8eb9SGleb SmirnoffThe fifth 1493b3a8eb9SGleb Smirnoff.Ar N 1503b3a8eb9SGleb Smirnoffwill match another NOP. 1513b3a8eb9SGleb SmirnoffThe sixth 1523b3a8eb9SGleb Smirnoff.Ar W0 1533b3a8eb9SGleb Smirnoffwill match a window scaling option with a zero scaling size. 1543b3a8eb9SGleb SmirnoffThe seventh and eighth 1553b3a8eb9SGleb Smirnoff.Ar N 1563b3a8eb9SGleb Smirnoffoptions will match two NOPs. 1573b3a8eb9SGleb SmirnoffAnd the ninth and final option 1583b3a8eb9SGleb Smirnoff.Ar T 1593b3a8eb9SGleb Smirnoffwill match the timestamp option with any time value. 1603b3a8eb9SGleb Smirnoff.Pp 1613b3a8eb9SGleb SmirnoffThe TCP options in a fingerprint will only match packets with the 1623b3a8eb9SGleb Smirnoffexact same TCP options in the same order. 1633b3a8eb9SGleb Smirnoff.Pp 1643b3a8eb9SGleb SmirnoffThe 1653b3a8eb9SGleb Smirnoff.Ar class 1663b3a8eb9SGleb Smirnofffield is the class, genre or vendor of the operating system. 1673b3a8eb9SGleb Smirnoff.Pp 1683b3a8eb9SGleb SmirnoffThe 1693b3a8eb9SGleb Smirnoff.Ar version 1703b3a8eb9SGleb Smirnoffis the version of the operating system. 1713b3a8eb9SGleb SmirnoffIt is used to distinguish between different fingerprints of operating 1723b3a8eb9SGleb Smirnoffsystems of the same class but different versions. 1733b3a8eb9SGleb Smirnoff.Pp 1743b3a8eb9SGleb SmirnoffThe 1753b3a8eb9SGleb Smirnoff.Ar subtype 1763b3a8eb9SGleb Smirnoffis the subtype or patch level of the operating system version. 1773b3a8eb9SGleb SmirnoffIt is used to distinguish between different fingerprints of operating 1783b3a8eb9SGleb Smirnoffsystems of the same class and same version but slightly different 1793b3a8eb9SGleb Smirnoffpatches or tweaking. 1803b3a8eb9SGleb Smirnoff.Pp 1813b3a8eb9SGleb SmirnoffThe 1823b3a8eb9SGleb Smirnoff.Ar description 1833b3a8eb9SGleb Smirnoffis a general description of the operating system, its version, 1843b3a8eb9SGleb Smirnoffpatchlevel and any further useful details. 1853b3a8eb9SGleb Smirnoff.Sh EXAMPLES 1863b3a8eb9SGleb SmirnoffThe fingerprint of a plain 1873b3a8eb9SGleb Smirnoff.Ox 3.3 1883b3a8eb9SGleb Smirnoffhost is: 1893b3a8eb9SGleb Smirnoff.Bd -literal 1903b3a8eb9SGleb Smirnoff 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 1913b3a8eb9SGleb Smirnoff.Ed 1923b3a8eb9SGleb Smirnoff.Pp 1933b3a8eb9SGleb SmirnoffThe fingerprint of an 1943b3a8eb9SGleb Smirnoff.Ox 3.3 1953b3a8eb9SGleb Smirnoffhost behind a PF scrubbing firewall with a no-df rule would be: 1963b3a8eb9SGleb Smirnoff.Bd -literal 1973b3a8eb9SGleb Smirnoff 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df 1983b3a8eb9SGleb Smirnoff.Ed 1993b3a8eb9SGleb Smirnoff.Pp 2003b3a8eb9SGleb SmirnoffAn absolutely braindead embedded operating system fingerprint could be: 2013b3a8eb9SGleb Smirnoff.Bd -literal 2023b3a8eb9SGleb Smirnoff 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3 2033b3a8eb9SGleb Smirnoff.Ed 2043b3a8eb9SGleb Smirnoff.Pp 2053b3a8eb9SGleb SmirnoffThe 2063b3a8eb9SGleb Smirnoff.Xr tcpdump 1 2073b3a8eb9SGleb Smirnoffoutput of 2083b3a8eb9SGleb Smirnoff.Bd -literal 2093b3a8eb9SGleb Smirnoff # tcpdump -s128 -c1 -nv 'tcp[13] == 2' 2103b3a8eb9SGleb Smirnoff 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e 2113b3a8eb9SGleb Smirnoff 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e 2123b3a8eb9SGleb Smirnoff (ttl 64, id 11315, len 44) 2133b3a8eb9SGleb Smirnoff.Ed 2143b3a8eb9SGleb Smirnoff.Pp 2153b3a8eb9SGleb Smirnoffalmost translates into the following fingerprint 2163b3a8eb9SGleb Smirnoff.Bd -literal 2173b3a8eb9SGleb Smirnoff 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0 2183b3a8eb9SGleb Smirnoff.Ed 2193b3a8eb9SGleb Smirnoff.Sh SEE ALSO 220*67304db7SChristian Brueffer.Xr tcpdump 1 , 2213b3a8eb9SGleb Smirnoff.Xr pf 4 , 2223b3a8eb9SGleb Smirnoff.Xr pf.conf 5 , 223*67304db7SChristian Brueffer.Xr pfctl 8 224