1*9490d37cSjmc.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ 2e9179141Sfrantzen.\" 3e9179141Sfrantzen.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 4e9179141Sfrantzen.\" 5e9179141Sfrantzen.\" Permission to use, copy, modify, and distribute this software for any 6e9179141Sfrantzen.\" purpose with or without fee is hereby granted, provided that the above 7e9179141Sfrantzen.\" copyright notice and this permission notice appear in all copies. 8e9179141Sfrantzen.\" 9e9179141Sfrantzen.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10e9179141Sfrantzen.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11e9179141Sfrantzen.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12e9179141Sfrantzen.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13e9179141Sfrantzen.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14e9179141Sfrantzen.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15e9179141Sfrantzen.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16*9490d37cSjmc.Dd $Mdocdate: May 31 2007 $ 17e9179141Sfrantzen.Dt PF.OS 5 18e9179141Sfrantzen.Os 19e9179141Sfrantzen.Sh NAME 20e9179141Sfrantzen.Nm pf.os 21e9179141Sfrantzen.Nd format of the operating system fingerprints file 22e9179141Sfrantzen.Sh DESCRIPTION 23e9179141SfrantzenThe 24e9179141Sfrantzen.Xr pf 4 25e9179141Sfrantzenfirewall and the 26e9179141Sfrantzen.Xr tcpdump 8 27e9179141Sfrantzenprogram can both fingerprint the operating system of hosts that 288e67d5fdSjmcoriginate an IPv4 TCP connection. 29e9179141SfrantzenThe file consists of newline-separated records, one per fingerprint, 308e67d5fdSjmccontaining nine colon 31e9179141Sfrantzen.Pq Ql \&: 32e9179141Sfrantzenseparated fields. 33e9179141SfrantzenThese fields are as follows: 34e9179141Sfrantzen.Pp 35e9179141Sfrantzen.Bl -tag -width Description -offset indent -compact 36e9179141Sfrantzen.It window 37e9179141SfrantzenThe TCP window size. 38e9179141Sfrantzen.It TTL 39e9179141SfrantzenThe IP time to live. 40e9179141Sfrantzen.It df 41e9179141SfrantzenThe presence of the IPv4 don't fragment bit. 42e9179141Sfrantzen.It packet size 43e9179141SfrantzenThe size of the initial TCP packet. 44e9179141Sfrantzen.It TCP options 45e9179141SfrantzenAn ordered list of the TCP options. 46e9179141Sfrantzen.It class 47e9179141SfrantzenThe class of operating system. 48e9179141Sfrantzen.It version 49e9179141SfrantzenThe version of the operating system. 50e9179141Sfrantzen.It subtype 51e9179141SfrantzenThe subtype of patchlevel of the operating system. 52e9179141Sfrantzen.It description 53e9179141SfrantzenThe overall textual description of the operating system, version and subtype. 54e9179141Sfrantzen.El 55e9179141Sfrantzen.Pp 56e9179141SfrantzenThe 57e9179141Sfrantzen.Ar window 58e9179141Sfrantzenfield corresponds to the th->th_win field in the TCP header and is the 59e9179141Sfrantzensource host's advertised TCP window size. 60e9179141SfrantzenIt may be between zero and 65,535 inclusive. 61e9179141SfrantzenThe window size may be given as a multiple of a constant by prepending 628e67d5fdSjmcthe size with a percent sign 638e67d5fdSjmc.Sq % 648e67d5fdSjmcand the value will be used as a modulus. 65e9179141SfrantzenThree special values may be used for the window size: 668e67d5fdSjmc.Pp 67e9179141Sfrantzen.Bl -tag -width xxx -offset indent -compact 68e9179141Sfrantzen.It * 69e9179141SfrantzenAn asterisk will wildcard the value so any window size will match. 70e9179141Sfrantzen.It S 71e9179141SfrantzenAllow any window size which is a multiple of the maximum segment size (MSS). 72e9179141Sfrantzen.It T 73e9179141SfrantzenAllow any window size which is a multiple of the maximum transmission unit 74e9179141Sfrantzen(MTU). 75e9179141Sfrantzen.El 76e9179141Sfrantzen.Pp 77e9179141SfrantzenThe 78e9179141Sfrantzen.Ar ttl 79e9179141Sfrantzenvalue is the initial time to live in the IP header. 807e109a38SjmcThe fingerprint code will account for the volatility of the packet's TTL 81e9179141Sfrantzenas it traverses a network. 82e9179141Sfrantzen.Pp 83e9179141SfrantzenThe 84e9179141Sfrantzen.Ar df 85e9179141Sfrantzenbit corresponds to the Don't Fragment bit in an IPv4 header. 86e9179141SfrantzenIt tells intermediate routers not to fragment the packet and is used for 87e9179141Sfrantzenpath MTU discovery. 88e9179141SfrantzenIt may be either a zero or a one. 89e9179141Sfrantzen.Pp 90e9179141SfrantzenThe 91e9179141Sfrantzen.Ar packet size 92e9179141Sfrantzenis the literal size of the full IP packet and is a function of all of 93e9179141Sfrantzenthe IP and TCP options. 94e9179141Sfrantzen.Pp 95e9179141SfrantzenThe 96e9179141Sfrantzen.Ar TCP options 97e9179141Sfrantzenfield is an ordered list of the individual TCP options that appear in the 98e9179141SfrantzenSYN packet. 997f66232dSdavidEach option is described by a single character separated by a comma and 100e9179141Sfrantzencertain ones may include a value. 101e9179141SfrantzenThe options are: 1028e67d5fdSjmc.Pp 103e9179141Sfrantzen.Bl -tag -width Description -offset indent -compact 104e9179141Sfrantzen.It Mnnn 105e9179141Sfrantzenmaximum segment size (MSS) option. 106e9179141SfrantzenThe value is the maximum packet size of the network link which may 1078e67d5fdSjmcinclude the 1088e67d5fdSjmc.Sq % 1098e67d5fdSjmcmodulus or match all MSSes with the 1108e67d5fdSjmc.Sq * 1118e67d5fdSjmcvalue. 112e9179141Sfrantzen.It N 113e9179141Sfrantzenthe NOP option (NO Operation). 114e9179141Sfrantzen.It T[0] 115e9179141Sfrantzenthe timestamp option. 116e9179141SfrantzenCertain operating systems always start with a zero timestamp in which 117e9179141Sfrantzencase a zero value is added to the option; otherwise no value is appended. 118e9179141Sfrantzen.It S 119e9179141Sfrantzenthe Selective ACKnowledgement OK (SACKOK) option. 120e9179141Sfrantzen.It Wnnn 121e9179141Sfrantzenwindow scaling option. 122e9179141SfrantzenThe value is the size of the window scaling which may include the 1238e67d5fdSjmc.Sq % 1248e67d5fdSjmcmodulus or match all window scalings with the 1258e67d5fdSjmc.Sq * 1268e67d5fdSjmcvalue. 127e9179141Sfrantzen.El 128e9179141Sfrantzen.Pp 1298e67d5fdSjmcNo TCP options in the fingerprint may be given with a single dot 1308e67d5fdSjmc.Sq \&. . 131e9179141Sfrantzen.Pp 132e9179141SfrantzenAn example of OpenBSD's TCP options are: 1338e67d5fdSjmc.Pp 1348e67d5fdSjmc.Dl M*,N,N,S,N,W0,N,N,T 135e9179141Sfrantzen.Pp 136e9179141SfrantzenThe first option 137e9179141Sfrantzen.Ar M* 138e9179141Sfrantzenis the MSS option and will match all values. 139e9179141SfrantzenThe second and third options 140e9179141Sfrantzen.Ar N 141e9179141Sfrantzenwill match two NOPs. 142e9179141SfrantzenThe fourth option 143e9179141Sfrantzen.Ar S 144e9179141Sfrantzenwill match the SACKOK option. 145e9179141SfrantzenThe fifth 146e9179141Sfrantzen.Ar N 147e9179141Sfrantzenwill match another NOP. 148e9179141SfrantzenThe sixth 149e9179141Sfrantzen.Ar W0 150e9179141Sfrantzenwill match a window scaling option with a zero scaling size. 151c6ce930eSdavidThe seventh and eighth 152e9179141Sfrantzen.Ar N 153e9179141Sfrantzenoptions will match two NOPs. 154c6ce930eSdavidAnd the ninth and final option 155e9179141Sfrantzen.Ar T 156e9179141Sfrantzenwill match the timestamp option with any time value. 157e9179141Sfrantzen.Pp 158e9179141SfrantzenThe TCP options in a fingerprint will only match packets with the 159e9179141Sfrantzenexact same TCP options in the same order. 160e9179141Sfrantzen.Pp 161e9179141SfrantzenThe 162e9179141Sfrantzen.Ar class 16313cbdcd4Sdhartmeifield is the class, genre or vendor of the operating system. 164e9179141Sfrantzen.Pp 165e9179141SfrantzenThe 166e9179141Sfrantzen.Ar version 167e9179141Sfrantzenis the version of the operating system. 168e9179141SfrantzenIt is used to distinguish between different fingerprints of operating 169e9179141Sfrantzensystems of the same class but different versions. 170e9179141Sfrantzen.Pp 171e9179141SfrantzenThe 172e9179141Sfrantzen.Ar subtype 173e9179141Sfrantzenis the subtype or patch level of the operating system version. 174e9179141SfrantzenIt is used to distinguish between different fingerprints of operating 175e9179141Sfrantzensystems of the same class and same version but slightly different 176e9179141Sfrantzenpatches or tweaking. 177e9179141Sfrantzen.Pp 178e9179141SfrantzenThe 179e9179141Sfrantzen.Ar description 1808e67d5fdSjmcis a general description of the operating system, its version, 181e9179141Sfrantzenpatchlevel and any further useful details. 182e9179141Sfrantzen.Sh EXAMPLES 1838e67d5fdSjmcThe fingerprint of a plain 1848e67d5fdSjmc.Ox 3.3 1858e67d5fdSjmchost is: 186e9179141Sfrantzen.Bd -literal 187e9179141Sfrantzen 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 188e9179141Sfrantzen.Ed 189e9179141Sfrantzen.Pp 1908e67d5fdSjmcThe fingerprint of an 1918e67d5fdSjmc.Ox 3.3 1928e67d5fdSjmchost behind a PF scrubbing firewall with a no-df rule would be: 193e9179141Sfrantzen.Bd -literal 194e9179141Sfrantzen 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df 195e9179141Sfrantzen.Ed 196e9179141Sfrantzen.Pp 197e9179141SfrantzenAn absolutely braindead embedded operating system fingerprint could be: 198e9179141Sfrantzen.Bd -literal 199e9179141Sfrantzen 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3 200e9179141Sfrantzen.Ed 201e9179141Sfrantzen.Pp 202e9179141SfrantzenThe 203e9179141Sfrantzen.Xr tcpdump 8 204e9179141Sfrantzenoutput of 205e9179141Sfrantzen.Bd -literal 206e9179141Sfrantzen # tcpdump -s128 -c1 -nv 'tcp[13] == 2' 20752a56e98Sstevesk 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e 208e9179141Sfrantzen 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e 20952a56e98Sstevesk (ttl 64, id 11315, len 44) 210e9179141Sfrantzen.Ed 211e9179141Sfrantzen.Pp 212e9179141Sfrantzenalmost translates into the following fingerprint 213e9179141Sfrantzen.Bd -literal 214e9179141Sfrantzen 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0 215e9179141Sfrantzen.Ed 216e9179141Sfrantzen.Sh SEE ALSO 217e9179141Sfrantzen.Xr pf 4 , 2188e67d5fdSjmc.Xr pf.conf 5 , 219e9179141Sfrantzen.Xr pfctl 8 , 220e9179141Sfrantzen.Xr tcpdump 8 221