1The osf module does passive operating system fingerprinting. This modules 2compares some data (Window Size, MSS, options and their order, TTL, DF, 3and others) from packets with the SYN bit set. 4.TP 5[\fB!\fP] \fB\-\-genre\fP \fIstring\fP 6Match an operating system genre by using a passive fingerprinting. 7.TP 8\fB\-\-ttl\fP \fIlevel\fP 9Do additional TTL checks on the packet to determine the operating system. 10\fIlevel\fP can be one of the following values: 11.IP \(bu 4 120 - True IP address and fingerprint TTL comparison. This generally works for 13LANs. 14.IP \(bu 4 151 - Check if the IP header's TTL is less than the fingerprint one. Works for 16globally-routable addresses. 17.IP \(bu 4 182 - Do not compare the TTL at all. 19.TP 20\fB\-\-log\fP \fIlevel\fP 21Log determined genres into dmesg even if they do not match the desired one. 22\fIlevel\fP can be one of the following values: 23.IP \(bu 4 240 - Log all matched or unknown signatures 25.IP \(bu 4 261 - Log only the first one 27.IP \(bu 4 282 - Log all known matched signatures 29.PP 30You may find something like this in syslog: 31.PP 32Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 3311.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4 34.PP 35OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load 36fingerprints from a file, use: 37.PP 38\fBnfnl_osf -f /usr/share/xtables/pf.os\fP 39.PP 40To remove them again, 41.PP 42\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP 43.PP 44The fingerprint database can be downlaoded from 45http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os . 46