1.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ 2.\" 3.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd May 31, 2007 18.Dt PF.OS 5 19.Os 20.Sh NAME 21.Nm pf.os 22.Nd format of the operating system fingerprints file 23.Sh DESCRIPTION 24The 25.Xr pf 4 26firewall and the 27.Xr tcpdump 1 28program can both fingerprint the operating system of hosts that 29originate an IPv4 TCP connection. 30The file consists of newline-separated records, one per fingerprint, 31containing nine colon 32.Pq Ql \&: 33separated fields. 34These fields are as follows: 35.Pp 36.Bl -tag -width Description -offset indent -compact 37.It window 38The TCP window size. 39.It TTL 40The IP time to live. 41.It df 42The presence of the IPv4 don't fragment bit. 43.It packet size 44The size of the initial TCP packet. 45.It TCP options 46An ordered list of the TCP options. 47.It class 48The class of operating system. 49.It version 50The version of the operating system. 51.It subtype 52The subtype of patchlevel of the operating system. 53.It description 54The overall textual description of the operating system, version and subtype. 55.El 56.Pp 57The 58.Ar window 59field corresponds to the th->th_win field in the TCP header and is the 60source host's advertised TCP window size. 61It may be between zero and 65,535 inclusive. 62The window size may be given as a multiple of a constant by prepending 63the size with a percent sign 64.Sq % 65and the value will be used as a modulus. 66Three special values may be used for the window size: 67.Pp 68.Bl -tag -width xxx -offset indent -compact 69.It * 70An asterisk will wildcard the value so any window size will match. 71.It S 72Allow any window size which is a multiple of the maximum segment size (MSS). 73.It T 74Allow any window size which is a multiple of the maximum transmission unit 75(MTU). 76.El 77.Pp 78The 79.Ar ttl 80value is the initial time to live in the IP header. 81The fingerprint code will account for the volatility of the packet's TTL 82as it traverses a network. 83.Pp 84The 85.Ar df 86bit corresponds to the Don't Fragment bit in an IPv4 header. 87It tells intermediate routers not to fragment the packet and is used for 88path MTU discovery. 89It may be either a zero or a one. 90.Pp 91The 92.Ar packet size 93is the literal size of the full IP packet and is a function of all of 94the IP and TCP options. 95.Pp 96The 97.Ar TCP options 98field is an ordered list of the individual TCP options that appear in the 99SYN packet. 100Each option is described by a single character separated by a comma and 101certain ones may include a value. 102The options are: 103.Pp 104.Bl -tag -width Description -offset indent -compact 105.It Mnnn 106maximum segment size (MSS) option. 107The value is the maximum packet size of the network link which may 108include the 109.Sq % 110modulus or match all MSSes with the 111.Sq * 112value. 113.It N 114the NOP option (NO Operation). 115.It T[0] 116the timestamp option. 117Certain operating systems always start with a zero timestamp in which 118case a zero value is added to the option; otherwise no value is appended. 119.It S 120the Selective ACKnowledgement OK (SACKOK) option. 121.It Wnnn 122window scaling option. 123The value is the size of the window scaling which may include the 124.Sq % 125modulus or match all window scalings with the 126.Sq * 127value. 128.El 129.Pp 130No TCP options in the fingerprint may be given with a single dot 131.Sq \&. . 132.Pp 133An example of OpenBSD's TCP options are: 134.Pp 135.Dl M*,N,N,S,N,W0,N,N,T 136.Pp 137The first option 138.Ar M* 139is the MSS option and will match all values. 140The second and third options 141.Ar N 142will match two NOPs. 143The fourth option 144.Ar S 145will match the SACKOK option. 146The fifth 147.Ar N 148will match another NOP. 149The sixth 150.Ar W0 151will match a window scaling option with a zero scaling size. 152The seventh and eighth 153.Ar N 154options will match two NOPs. 155And the ninth and final option 156.Ar T 157will match the timestamp option with any time value. 158.Pp 159The TCP options in a fingerprint will only match packets with the 160exact same TCP options in the same order. 161.Pp 162The 163.Ar class 164field is the class, genre or vendor of the operating system. 165.Pp 166The 167.Ar version 168is the version of the operating system. 169It is used to distinguish between different fingerprints of operating 170systems of the same class but different versions. 171.Pp 172The 173.Ar subtype 174is the subtype or patch level of the operating system version. 175It is used to distinguish between different fingerprints of operating 176systems of the same class and same version but slightly different 177patches or tweaking. 178.Pp 179The 180.Ar description 181is a general description of the operating system, its version, 182patchlevel and any further useful details. 183.Sh EXAMPLES 184The fingerprint of a plain 185.Ox 3.3 186host is: 187.Bd -literal 188 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 189.Ed 190.Pp 191The fingerprint of an 192.Ox 3.3 193host behind a PF scrubbing firewall with a no-df rule would be: 194.Bd -literal 195 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df 196.Ed 197.Pp 198An absolutely braindead embedded operating system fingerprint could be: 199.Bd -literal 200 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3 201.Ed 202.Pp 203The 204.Xr tcpdump 1 205output of 206.Bd -literal 207 # tcpdump -s128 -c1 -nv 'tcp[13] == 2' 208 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e 209 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e 210 (ttl 64, id 11315, len 44) 211.Ed 212.Pp 213almost translates into the following fingerprint 214.Bd -literal 215 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0 216.Ed 217.Sh SEE ALSO 218.Xr tcpdump 1 , 219.Xr pf 4 , 220.Xr pf.conf 5 , 221.Xr pfctl 8 222