1The osf module does passive operating system fingerprinting. This module 2compares some data (Window Size, MSS, options and their order, TTL, DF, 3and others) from packets with the SYN bit set. 4.TP 5[\fB!\fP] \fB\-\-genre\fP \fIstring\fP 6Match an operating system genre by using a passive fingerprinting. 7.TP 8\fB\-\-ttl\fP \fIlevel\fP 9Do additional TTL checks on the packet to determine the operating system. 10\fIlevel\fP can be one of the following values: 11.RS 12.TP 13\fB0\fP 14True IP address and fingerprint TTL comparison. This generally works for 15LANs. 16.TP 17\fB1\fP 18Check if the IP header's TTL is less than the fingerprint one. Works for 19globally-routable addresses. 20.TP 21\fB2\fP 22Do not compare the TTL at all. 23.RE 24.TP 25\fB\-\-log\fP \fIlevel\fP 26Log determined genres into dmesg even if they do not match the desired one. 27\fIlevel\fP can be one of the following values: 28.RS 29.TP 30\fB0\fP 31Log all matched or unknown signatures 32.TP 33\fB1\fP 34Log only the first one 35.TP 36\fB2\fP 37Log all known matched signatures 38.RE 39.PP 40You may find something like this in syslog: 41.PP 42Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 \-> 4311.22.33.44:139 hops=3 Linux [2.5\-2.6:] : 1.2.3.4:42624 \-> 1.2.3.5:22 hops=4 44.PP 45OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load 46fingerprints from a file, use: 47.PP 48\fBnfnl_osf \-f /usr/share/xtables/pf.os\fP 49.PP 50To remove them again, 51.PP 52\fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP 53.PP 54The fingerprint database can be downloaded from 55http://www.openbsd.org/cgi\-bin/cvsweb/src/etc/pf.os . 56