1 The osf module does passive operating system fingerprinting. This modules 2 compares some data (Window Size, MSS, options and their order, TTL, DF, 3 and others) from packets with the SYN bit set. 4 .TP 5 [\fB!\fP] \fB\-\-genre\fP \fIstring\fP 6 Match an operating system genre by using a passive fingerprinting. 7 .TP 8 \fB\-\-ttl\fP \fIlevel\fP 9 Do additional TTL checks on the packet to determine the operating system. 10 \fIlevel\fP can be one of the following values: 11 .IP \(bu 4 12 0 - True IP address and fingerprint TTL comparison. This generally works for 13 LANs. 14 .IP \(bu 4 15 1 - Check if the IP header's TTL is less than the fingerprint one. Works for 16 globally-routable addresses. 17 .IP \(bu 4 18 2 - Do not compare the TTL at all. 19 .TP 20 \fB\-\-log\fP \fIlevel\fP 21 Log determined genres into dmesg even if they do not match the desired one. 22 \fIlevel\fP can be one of the following values: 23 .IP \(bu 4 24 0 - Log all matched or unknown signatures 25 .IP \(bu 4 26 1 - Log only the first one 27 .IP \(bu 4 28 2 - Log all known matched signatures 29 .PP 30 You may find something like this in syslog: 31 .PP 32 Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 33 11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 34 .PP 35 OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load 36 fingerprints from a file, use: 37 .PP 38 \fBnfnl_osf -f /usr/share/xtables/pf.os\fP 39 .PP 40 To remove them again, 41 .PP 42 \fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP 43 .PP 44 The fingerprint database can be downlaoded from 45 http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . 46
