1.\" $OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $ 2.\" 3.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.Dd $Mdocdate: May 31 2007 $ 17.Dt PF.OS 5 18.Os 19.Sh NAME 20.Nm pf.os 21.Nd format of the operating system fingerprints file 22.Sh DESCRIPTION 23The 24.Xr pf 4 25firewall and the 26.Xr tcpdump 8 27program can both fingerprint the operating system of hosts that 28originate an IPv4 TCP connection. 29The file consists of newline-separated records, one per fingerprint, 30containing nine colon 31.Pq Ql \&: 32separated fields. 33These fields are as follows: 34.Pp 35.Bl -tag -width Description -offset indent -compact 36.It window 37The TCP window size. 38.It TTL 39The IP time to live. 40.It df 41The presence of the IPv4 don't fragment bit. 42.It packet size 43The size of the initial TCP packet. 44.It TCP options 45An ordered list of the TCP options. 46.It class 47The class of operating system. 48.It version 49The version of the operating system. 50.It subtype 51The subtype of patchlevel of the operating system. 52.It description 53The overall textual description of the operating system, version and subtype. 54.El 55.Pp 56The 57.Ar window 58field corresponds to the th->th_win field in the TCP header and is the 59source host's advertised TCP window size. 60It may be between zero and 65,535 inclusive. 61The window size may be given as a multiple of a constant by prepending 62the size with a percent sign 63.Sq % 64and the value will be used as a modulus. 65Three special values may be used for the window size: 66.Pp 67.Bl -tag -width xxx -offset indent -compact 68.It * 69An asterisk will wildcard the value so any window size will match. 70.It S 71Allow any window size which is a multiple of the maximum segment size (MSS). 72.It T 73Allow any window size which is a multiple of the maximum transmission unit 74(MTU). 75.El 76.Pp 77The 78.Ar ttl 79value is the initial time to live in the IP header. 80The fingerprint code will account for the volatility of the packet's TTL 81as it traverses a network. 82.Pp 83The 84.Ar df 85bit corresponds to the Don't Fragment bit in an IPv4 header. 86It tells intermediate routers not to fragment the packet and is used for 87path MTU discovery. 88It may be either a zero or a one. 89.Pp 90The 91.Ar packet size 92is the literal size of the full IP packet and is a function of all of 93the IP and TCP options. 94.Pp 95The 96.Ar TCP options 97field is an ordered list of the individual TCP options that appear in the 98SYN packet. 99Each option is described by a single character separated by a comma and 100certain ones may include a value. 101The options are: 102.Pp 103.Bl -tag -width Description -offset indent -compact 104.It Mnnn 105maximum segment size (MSS) option. 106The value is the maximum packet size of the network link which may 107include the 108.Sq % 109modulus or match all MSSes with the 110.Sq * 111value. 112.It N 113the NOP option (NO Operation). 114.It T[0] 115the timestamp option. 116Certain operating systems always start with a zero timestamp in which 117case a zero value is added to the option; otherwise no value is appended. 118.It S 119the Selective ACKnowledgement OK (SACKOK) option. 120.It Wnnn 121window scaling option. 122The value is the size of the window scaling which may include the 123.Sq % 124modulus or match all window scalings with the 125.Sq * 126value. 127.El 128.Pp 129No TCP options in the fingerprint may be given with a single dot 130.Sq \&. . 131.Pp 132An example of OpenBSD's TCP options are: 133.Pp 134.Dl M*,N,N,S,N,W0,N,N,T 135.Pp 136The first option 137.Ar M* 138is the MSS option and will match all values. 139The second and third options 140.Ar N 141will match two NOPs. 142The fourth option 143.Ar S 144will match the SACKOK option. 145The fifth 146.Ar N 147will match another NOP. 148The sixth 149.Ar W0 150will match a window scaling option with a zero scaling size. 151The seventh and eighth 152.Ar N 153options will match two NOPs. 154And the ninth and final option 155.Ar T 156will match the timestamp option with any time value. 157.Pp 158The TCP options in a fingerprint will only match packets with the 159exact same TCP options in the same order. 160.Pp 161The 162.Ar class 163field is the class, genre or vendor of the operating system. 164.Pp 165The 166.Ar version 167is the version of the operating system. 168It is used to distinguish between different fingerprints of operating 169systems of the same class but different versions. 170.Pp 171The 172.Ar subtype 173is the subtype or patch level of the operating system version. 174It is used to distinguish between different fingerprints of operating 175systems of the same class and same version but slightly different 176patches or tweaking. 177.Pp 178The 179.Ar description 180is a general description of the operating system, its version, 181patchlevel and any further useful details. 182.Sh EXAMPLES 183The fingerprint of a plain 184.Ox 3.3 185host is: 186.Bd -literal 187 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3 188.Ed 189.Pp 190The fingerprint of an 191.Ox 3.3 192host behind a PF scrubbing firewall with a no-df rule would be: 193.Bd -literal 194 16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df 195.Ed 196.Pp 197An absolutely braindead embedded operating system fingerprint could be: 198.Bd -literal 199 65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3 200.Ed 201.Pp 202The 203.Xr tcpdump 8 204output of 205.Bd -literal 206 # tcpdump -s128 -c1 -nv 'tcp[13] == 2' 207 03:13:48.118526 10.0.0.1.3377 > 10.0.0.2.80: S [tcp sum ok] \e 208 534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e 209 (ttl 64, id 11315, len 44) 210.Ed 211.Pp 212almost translates into the following fingerprint 213.Bd -literal 214 57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0 215.Ed 216.Sh SEE ALSO 217.Xr pf 4 , 218.Xr pf.conf 5 , 219.Xr pfctl 8 , 220.Xr tcpdump 8 221