1.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ 2.\" 3.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.\" $FreeBSD$ 18.\" 19.Dd May 31, 2007 20.Dt PF.OS 5 21.Os 22.Sh NAME 23.Nm pf.os 24.Nd format of the operating system fingerprints file 25.Sh DESCRIPTION 26The 27.Xr pf 4 28firewall and the 29.Xr tcpdump 1 30program can both fingerprint the operating system of hosts that 31originate an IPv4 TCP connection. 32The file consists of newline-separated records, one per fingerprint, 33containing nine colon 34.Pq Ql \&: 35separated fields. 36These fields are as follows: 37.Pp 38.Bl -tag -width Description -offset indent -compact 39.It window 40The TCP window size. 41.It TTL 42The IP time to live. 43.It df 44The presence of the IPv4 don't fragment bit. 45.It packet size 46The size of the initial TCP packet. 47.It TCP options 48An ordered list of the TCP options. 49.It class 50The class of operating system. 51.It version 52The version of the operating system. 53.It subtype 54The subtype of patchlevel of the operating system. 55.It description 56The overall textual description of the operating system, version and subtype. 57.El 58.Pp 59The 60.Ar window 61field corresponds to the th->th_win field in the TCP header and is the 62source host's advertised TCP window size. 63It may be between zero and 65,535 inclusive. 64The window size may be given as a multiple of a constant by prepending 65the size with a percent sign 66.Sq % 67and the value will be used as a modulus. 68Three special values may be used for the window size: 69.Pp 70.Bl -tag -width xxx -offset indent -compact 71.It * 72An asterisk will wildcard the value so any window size will match. 73.It S 74Allow any window size which is a multiple of the maximum segment size (MSS). 75.It T 76Allow any window size which is a multiple of the maximum transmission unit 77(MTU). 78.El 79.Pp 80The 81.Ar ttl 82value is the initial time to live in the IP header. 83The fingerprint code will account for the volatility of the packet's TTL 84as it traverses a network. 85.Pp 86The 87.Ar df 88bit corresponds to the Don't Fragment bit in an IPv4 header. 89It tells intermediate routers not to fragment the packet and is used for 90path MTU discovery. 91It may be either a zero or a one. 92.Pp 93The 94.Ar packet size 95is the literal size of the full IP packet and is a function of all of 96the IP and TCP options. 97.Pp 98The 99.Ar TCP options 100field is an ordered list of the individual TCP options that appear in the 101SYN packet. 102Each option is described by a single character separated by a comma and 103certain ones may include a value. 104The options are: 105.Pp 106.Bl -tag -width Description -offset indent -compact 107.It Mnnn 108maximum segment size (MSS) option. 109The value is the maximum packet size of the network link which may 110include the 111.Sq % 112modulus or match all MSSes with the 113.Sq * 114value. 115.It N 116the NOP option (NO Operation). 117.It T[0] 118the timestamp option. 119Certain operating systems always start with a zero timestamp in which 120case a zero value is added to the option; otherwise no value is appended. 121.It S 122the Selective ACKnowledgement OK (SACKOK) option. 123.It Wnnn 124window scaling option. 125The value is the size of the window scaling which may include the 126.Sq % 127modulus or match all window scalings with the 128.Sq * 129value. 130.El 131.Pp 132No TCP options in the fingerprint may be given with a single dot 133.Sq \&. . 134.Pp 135An example of OpenBSD's TCP options are: 136.Pp 137.Dl M*,N,N,S,N,W0,N,N,T 138.Pp 139The first option 140.Ar M* 141is the MSS option and will match all values. 142The second and third options 143.Ar N 144will match two NOPs. 145The fourth option 146.Ar S 147will match the SACKOK option. 148The fifth 149.Ar N 150will match another NOP. 151The sixth 152.Ar W0 153will match a window scaling option with a zero scaling size. 154The seventh and eighth 155.Ar N 156options will match two NOPs. 157And the ninth and final option 158.Ar T 159will match the timestamp option with any time value. 160.Pp 161The TCP options in a fingerprint will only match packets with the 162exact same TCP options in the same order. 163.Pp 164The 165.Ar class 166field is the class, genre or vendor of the operating system. 167.Pp 168The 169.Ar version 170is the version of the operating system. 171It is used to distinguish between different fingerprints of operating 172systems of the same class but different versions. 173.Pp 174The 175.Ar subtype 176is the subtype or patch level of the operating system version. 177It is used to distinguish between different fingerprints of operating 178systems of the same class and same version but slightly different 179patches or tweaking. 180.Pp 181The 182.Ar description 183is a general description of the operating system, its version, 184patchlevel and any further useful details. 185.Sh EXAMPLES 186The fingerprint of a plain 187.Ox 3.3 188host is: 189.Bd -literal 190 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 191.Ed 192.Pp 193The fingerprint of an 194.Ox 3.3 195host behind a PF scrubbing firewall with a no-df rule would be: 196.Bd -literal 197 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df 198.Ed 199.Pp 200An absolutely braindead embedded operating system fingerprint could be: 201.Bd -literal 202 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3 203.Ed 204.Pp 205The 206.Xr tcpdump 1 207output of 208.Bd -literal 209 # tcpdump -s128 -c1 -nv 'tcp[13] == 2' 210 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e 211 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e 212 (ttl 64, id 11315, len 44) 213.Ed 214.Pp 215almost translates into the following fingerprint 216.Bd -literal 217 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0 218.Ed 219.Sh SEE ALSO 220.Xr tcpdump 1 , 221.Xr pf 4 , 222.Xr pf.conf 5 , 223.Xr pfctl 8 224