1*4a7a0dc0Smaxv.\" $NetBSD: pf.os.5,v 1.7 2018/08/17 12:36:53 maxv Exp $ 2fff57c55Syamt.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ 3533d14a1Syamt.\" 4533d14a1Syamt.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 5533d14a1Syamt.\" 6533d14a1Syamt.\" Permission to use, copy, modify, and distribute this software for any 7533d14a1Syamt.\" purpose with or without fee is hereby granted, provided that the above 8533d14a1Syamt.\" copyright notice and this permission notice appear in all copies. 9533d14a1Syamt.\" 10533d14a1Syamt.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11533d14a1Syamt.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12533d14a1Syamt.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13533d14a1Syamt.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14533d14a1Syamt.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15533d14a1Syamt.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16533d14a1Syamt.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17*4a7a0dc0Smaxv.Dd August 17, 2018 18533d14a1Syamt.Dt PF.OS 5 19533d14a1Syamt.Os 20533d14a1Syamt.Sh NAME 21533d14a1Syamt.Nm pf.os 22533d14a1Syamt.Nd format of the operating system fingerprints file 23533d14a1Syamt.Sh DESCRIPTION 24*4a7a0dc0Smaxv.Bf -symbolic 25*4a7a0dc0SmaxvThe NetBSD version of PF is obsolete, and its use is strongly discouraged. 26*4a7a0dc0SmaxvUse 27*4a7a0dc0Smaxv.Xr npf 7 28*4a7a0dc0Smaxvinstead. 29*4a7a0dc0Smaxv.Pp 30*4a7a0dc0Smaxv.Ef 31533d14a1SyamtThe 32533d14a1Syamt.Xr pf 4 33533d14a1Syamtfirewall and the 34533d14a1Syamt.Xr tcpdump 8 35533d14a1Syamtprogram can both fingerprint the operating system of hosts that 36533d14a1Syamtoriginate an IPv4 TCP connection. 37533d14a1SyamtThe file consists of newline-separated records, one per fingerprint, 38533d14a1Syamtcontaining nine colon 39533d14a1Syamt.Pq Ql \&: 40533d14a1Syamtseparated fields. 41533d14a1SyamtThese fields are as follows: 42533d14a1Syamt.Pp 43533d14a1Syamt.Bl -tag -width Description -offset indent -compact 44533d14a1Syamt.It window 45533d14a1SyamtThe TCP window size. 46533d14a1Syamt.It TTL 47533d14a1SyamtThe IP time to live. 48533d14a1Syamt.It df 49533d14a1SyamtThe presence of the IPv4 don't fragment bit. 50533d14a1Syamt.It packet size 51533d14a1SyamtThe size of the initial TCP packet. 52533d14a1Syamt.It TCP options 53533d14a1SyamtAn ordered list of the TCP options. 54533d14a1Syamt.It class 55533d14a1SyamtThe class of operating system. 56533d14a1Syamt.It version 57533d14a1SyamtThe version of the operating system. 58533d14a1Syamt.It subtype 59533d14a1SyamtThe subtype of patchlevel of the operating system. 60533d14a1Syamt.It description 61533d14a1SyamtThe overall textual description of the operating system, version and subtype. 62533d14a1Syamt.El 63533d14a1Syamt.Pp 64533d14a1SyamtThe 65533d14a1Syamt.Ar window 66533d14a1Syamtfield corresponds to the th->th_win field in the TCP header and is the 67533d14a1Syamtsource host's advertised TCP window size. 68533d14a1SyamtIt may be between zero and 65,535 inclusive. 69533d14a1SyamtThe window size may be given as a multiple of a constant by prepending 70533d14a1Syamtthe size with a percent sign 71533d14a1Syamt.Sq % 72533d14a1Syamtand the value will be used as a modulus. 73533d14a1SyamtThree special values may be used for the window size: 74533d14a1Syamt.Pp 75533d14a1Syamt.Bl -tag -width xxx -offset indent -compact 76533d14a1Syamt.It * 77533d14a1SyamtAn asterisk will wildcard the value so any window size will match. 78533d14a1Syamt.It S 79533d14a1SyamtAllow any window size which is a multiple of the maximum segment size (MSS). 80533d14a1Syamt.It T 81533d14a1SyamtAllow any window size which is a multiple of the maximum transmission unit 82533d14a1Syamt(MTU). 83533d14a1Syamt.El 84533d14a1Syamt.Pp 85533d14a1SyamtThe 86533d14a1Syamt.Ar ttl 87533d14a1Syamtvalue is the initial time to live in the IP header. 88533d14a1SyamtThe fingerprint code will account for the volatility of the packet's TTL 89533d14a1Syamtas it traverses a network. 90533d14a1Syamt.Pp 91533d14a1SyamtThe 92533d14a1Syamt.Ar df 93533d14a1Syamtbit corresponds to the Don't Fragment bit in an IPv4 header. 94533d14a1SyamtIt tells intermediate routers not to fragment the packet and is used for 95533d14a1Syamtpath MTU discovery. 96533d14a1SyamtIt may be either a zero or a one. 97533d14a1Syamt.Pp 98533d14a1SyamtThe 99533d14a1Syamt.Ar packet size 100533d14a1Syamtis the literal size of the full IP packet and is a function of all of 101533d14a1Syamtthe IP and TCP options. 102533d14a1Syamt.Pp 103533d14a1SyamtThe 104533d14a1Syamt.Ar TCP options 105533d14a1Syamtfield is an ordered list of the individual TCP options that appear in the 106533d14a1SyamtSYN packet. 107533d14a1SyamtEach option is described by a single character separated by a comma and 108533d14a1Syamtcertain ones may include a value. 109533d14a1SyamtThe options are: 110533d14a1Syamt.Pp 111533d14a1Syamt.Bl -tag -width Description -offset indent -compact 112533d14a1Syamt.It Mnnn 113533d14a1Syamtmaximum segment size (MSS) option. 114533d14a1SyamtThe value is the maximum packet size of the network link which may 115533d14a1Syamtinclude the 116533d14a1Syamt.Sq % 117533d14a1Syamtmodulus or match all MSSes with the 118533d14a1Syamt.Sq * 119533d14a1Syamtvalue. 120533d14a1Syamt.It N 121533d14a1Syamtthe NOP option (NO Operation). 122533d14a1Syamt.It T[0] 123533d14a1Syamtthe timestamp option. 124533d14a1SyamtCertain operating systems always start with a zero timestamp in which 125533d14a1Syamtcase a zero value is added to the option; otherwise no value is appended. 126533d14a1Syamt.It S 127533d14a1Syamtthe Selective ACKnowledgement OK (SACKOK) option. 128533d14a1Syamt.It Wnnn 129533d14a1Syamtwindow scaling option. 130533d14a1SyamtThe value is the size of the window scaling which may include the 131533d14a1Syamt.Sq % 132533d14a1Syamtmodulus or match all window scalings with the 133533d14a1Syamt.Sq * 134533d14a1Syamtvalue. 135533d14a1Syamt.El 136533d14a1Syamt.Pp 137533d14a1SyamtNo TCP options in the fingerprint may be given with a single dot 138533d14a1Syamt.Sq \&. . 139533d14a1Syamt.Pp 140533d14a1SyamtAn example of OpenBSD's TCP options are: 141533d14a1Syamt.Pp 142533d14a1Syamt.Dl M*,N,N,S,N,W0,N,N,T 143533d14a1Syamt.Pp 144533d14a1SyamtThe first option 145533d14a1Syamt.Ar M* 146533d14a1Syamtis the MSS option and will match all values. 147533d14a1SyamtThe second and third options 148533d14a1Syamt.Ar N 149533d14a1Syamtwill match two NOPs. 150533d14a1SyamtThe fourth option 151533d14a1Syamt.Ar S 152533d14a1Syamtwill match the SACKOK option. 153533d14a1SyamtThe fifth 154533d14a1Syamt.Ar N 155533d14a1Syamtwill match another NOP. 156533d14a1SyamtThe sixth 157533d14a1Syamt.Ar W0 158533d14a1Syamtwill match a window scaling option with a zero scaling size. 159533d14a1SyamtThe seventh and eighth 160533d14a1Syamt.Ar N 161533d14a1Syamtoptions will match two NOPs. 162533d14a1SyamtAnd the ninth and final option 163533d14a1Syamt.Ar T 164533d14a1Syamtwill match the timestamp option with any time value. 165533d14a1Syamt.Pp 166533d14a1SyamtThe TCP options in a fingerprint will only match packets with the 167533d14a1Syamtexact same TCP options in the same order. 168533d14a1Syamt.Pp 169533d14a1SyamtThe 170533d14a1Syamt.Ar class 171533d14a1Syamtfield is the class, genre or vendor of the operating system. 172533d14a1Syamt.Pp 173533d14a1SyamtThe 174533d14a1Syamt.Ar version 175533d14a1Syamtis the version of the operating system. 176533d14a1SyamtIt is used to distinguish between different fingerprints of operating 177533d14a1Syamtsystems of the same class but different versions. 178533d14a1Syamt.Pp 179533d14a1SyamtThe 180533d14a1Syamt.Ar subtype 181533d14a1Syamtis the subtype or patch level of the operating system version. 182533d14a1SyamtIt is used to distinguish between different fingerprints of operating 183533d14a1Syamtsystems of the same class and same version but slightly different 184533d14a1Syamtpatches or tweaking. 185533d14a1Syamt.Pp 186533d14a1SyamtThe 187533d14a1Syamt.Ar description 188533d14a1Syamtis a general description of the operating system, its version, 189533d14a1Syamtpatchlevel and any further useful details. 190533d14a1Syamt.Sh EXAMPLES 191533d14a1SyamtThe fingerprint of a plain 192533d14a1Syamt.Ox 3.3 193533d14a1Syamthost is: 194533d14a1Syamt.Bd -literal 195533d14a1Syamt 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 196533d14a1Syamt.Ed 197533d14a1Syamt.Pp 198533d14a1SyamtThe fingerprint of an 199533d14a1Syamt.Ox 3.3 200533d14a1Syamthost behind a PF scrubbing firewall with a no-df rule would be: 201533d14a1Syamt.Bd -literal 202533d14a1Syamt 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df 203533d14a1Syamt.Ed 204533d14a1Syamt.Pp 205533d14a1SyamtAn absolutely braindead embedded operating system fingerprint could be: 206533d14a1Syamt.Bd -literal 207533d14a1Syamt 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3 208533d14a1Syamt.Ed 209533d14a1Syamt.Pp 210533d14a1SyamtThe 211533d14a1Syamt.Xr tcpdump 8 212533d14a1Syamtoutput of 213533d14a1Syamt.Bd -literal 214533d14a1Syamt # tcpdump -s128 -c1 -nv 'tcp[13] == 2' 215fff57c55Syamt 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e 216533d14a1Syamt 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e 217fff57c55Syamt (ttl 64, id 11315, len 44) 218533d14a1Syamt.Ed 219533d14a1Syamt.Pp 220533d14a1Syamtalmost translates into the following fingerprint 221533d14a1Syamt.Bd -literal 222533d14a1Syamt 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0 223533d14a1Syamt.Ed 224533d14a1Syamt.Sh SEE ALSO 225533d14a1Syamt.Xr pf 4 , 226533d14a1Syamt.Xr pf.conf 5 , 227533d14a1Syamt.Xr pfctl 8 , 228533d14a1Syamt.Xr tcpdump 8 229