*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> pf.os (5)              



NAME    [Toc]    [Back]

     pf.os - format of the operating system fingerprints file

DESCRIPTION    [Toc]    [Back]

     The pf(4) firewall and the tcpdump(8) program can both  fingerprint the
     operating system of hosts that originate an IPv4 TCP connection.  The
     file consists of newline-separated records, one per  fingerprint, containing
  nine colon (`:') separated fields.  These fields are as

           window       The TCP window size.
           TTL          The IP time to live.
           df           The presence of the IPv4  don't  fragment
           packet size  The size of the initial TCP packet.
           TCP options  An ordered list of the TCP options.
           class        The class of operating system.
           version      The version of the operating system.
           subtype       The subtype of patchlevel of the operating system.
           description  The overall textual  description  of  the
operating system,
 version and subtype.

     The  window field corresponds to the th->th_win field in the
TCP header
     and is the source host's advertised TCP window size.  It may
be between
     zero  and 65,535 inclusive.  The window size may be given as
a multiple of
     a constant by prepending the size with a  percent  sign  `%'
and the value
     will be used as a modulus.  Three special values may be used
for the window

           *    An asterisk will wildcard the value so any window
size will
           S     Allow any window size which is a multiple of the
maximum segment
 size (MSS).
           T    Allow any window size which is a multiple of  the
                transmission unit (MTU).

     The  ttl value is the initial time to live in the IP header.
The fingerprint
 code will account for the volatility of  the  packet's
TTL as it traverses
 a network.

     The  df bit corresponds to the Don't Fragment bit in an IPv4
header.  It
     tells intermediate routers not to fragment the packet and is
used for
     path MTU discovery.  It may be either a zero or a one.

     The  packet  size  is the literal size of the full IP packet
and is a function
 of all of the IP and TCP options.

     The TCP options field is an ordered list of  the  individual
TCP options
     that  appear in the SYN packet.  Each option is described by
a single
     character separated by a comma and certain ones may  include
a value.  The
     options are:

           Mnnn          maximum  segment size (MSS) option.  The
value is the
                        maximum packet size of the  network  link
which may include
  the `%' modulus or match all MSSes
with the `*'
           N            the NOP option (NO Operation).
           T[0]         the timestamp option.  Certain  operating
systems always
 start with a zero timestamp in which
case a zero
                        value is added to the  option;  otherwise
no value is
           S            the Selective ACKnowledgement OK (SACKOK)
           Wnnn         window scaling option.  The value is  the
size of the
                        window  scaling which may include the `%'
modulus or
                        match all window scalings  with  the  `*'

     No TCP options in the fingerprint may be given with a single
dot `.'.

     An example of OpenBSD's TCP options are:


     The first option M* is the MSS option  and  will  match  all
values.  The
     second  and third options N will match two NOPs.  The fourth
option S will
     match the SACKOK option.  The fifth  N  will  match  another
NOP.  The sixth
     W0  will  match  a window scaling option with a zero scaling
size.  The seventh
 and eighth N options will  match  two  NOPs.   And  the
ninth and final
     option  T will match the timestamp option with any time value.

     The TCP options in a fingerprint  will  only  match  packets
with the exact
     same TCP options in the same order.

     The class field is the class, genre or vendor of the operating system.

     The version is the version of the operating system.   It  is
used to distinguish
 between different fingerprints of operating systems
of the same
     class but different versions.

     The subtype is the subtype or patch level of  the  operating
system version.
   It  is used to distinguish between different fingerprints of operating
 systems of the same class and same version but slightly different
     patches or tweaking.

     The  description  is  a general description of the operating
system, its
     version, patchlevel and any further useful details.

EXAMPLES    [Toc]    [Back]

     The fingerprint of a plain OpenBSD 3.3 host is:

       16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3

     The fingerprint of an OpenBSD 3.3 host behind a PF scrubbing
     with a no-df rule would be:

3.3 scrub no-df

     An  absolutely  braindead  embedded operating system fingerprint could be:

       65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3

     The tcpdump(8) output of

       # tcpdump -s128 -c1 -nv 'tcp[13] == 2'
       03:13:48.118526 > S [tcp sum ok]
534596083:534596083(0)  win  57344  <mss  1460>  (DF)  [tos 0x10]
(ttl 64, id 11315)

     almost translates into the following fingerprint

       57344:64:1:44:M1460:  exampleOS:1.0::exampleOS 1.0

     tcpdump(8) does not explicitly give the packet length.   But
it can usually
  be  derived by adding the size of the IPv4 header to the
size of the
     TCP header to the size of the TCP options.  The size of both
headers is
     typically twenty each and the usual sizes of the TCP options

           mss        four bytes.
           nop        1 byte.
           sackOK     two bytes.
           timestamp  ten bytes.
           wscale     three bytes.

     In the above example, the packet size comes out to 44 bytes.

SEE ALSO    [Toc]    [Back]

     pf(4), pf.conf(5), pfctl(8), tcpdump(8)

OpenBSD      3.6                          August     18,     2003
[ Back ]
 Similar pages
Name OS Title
prf IRIX operating system profiler
uname OpenBSD print operating system name
pxfuname IRIX Retrieves the operating system name
DXmCvtOStoCS Tru64 Converts a string in the operating-systemspecific format to a compound string.
update-ux HP-UX updates the HP-UX operating system from new HP-UX media
uname Tru64 Displays information about the operating system
savecore FreeBSD save a core dump of the operating system
savecore OpenBSD save a core dump of the operating system
savecrash HP-UX save a crash dump of the operating system
osview IRIX monitor operating system activity data
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service