1The osf module does passive operating system fingerprinting. This modules
2compares some data (Window Size, MSS, options and their order, TTL, DF,
3and others) from packets with the SYN bit set.
4.TP
5[\fB!\fP] \fB\-\-genre\fP \fIstring\fP
6Match an operating system genre by using a passive fingerprinting.
7.TP
8\fB\-\-ttl\fP \fIlevel\fP
9Do additional TTL checks on the packet to determine the operating system.
10\fIlevel\fP can be one of the following values:
11.IP \(bu 4
120 - True IP address and fingerprint TTL comparison. This generally works for
13LANs.
14.IP \(bu 4
151 - Check if the IP header's TTL is less than the fingerprint one. Works for
16globally-routable addresses.
17.IP \(bu 4
182 - Do not compare the TTL at all.
19.TP
20\fB\-\-log\fP \fIlevel\fP
21Log determined genres into dmesg even if they do not match the desired one.
22\fIlevel\fP can be one of the following values:
23.IP \(bu 4
240 - Log all matched or unknown signatures
25.IP \(bu 4
261 - Log only the first one
27.IP \(bu 4
282 - Log all known matched signatures
29.PP
30You may find something like this in syslog:
31.PP
32Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
3311.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4
34.PP
35OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
36fingerprints from a file, use:
37.PP
38\fBnfnl_osf -f /usr/share/xtables/pf.os\fP
39.PP
40To remove them again,
41.PP
42\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
43.PP
44The fingerprint database can be downlaoded from
45http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
46