The osf module does passive operating system fingerprinting. This modules

compares some data (Window Size, MSS, options and their order, TTL, DF,

and others) from packets with the SYN bit set. 

.TP

[\fB!\fP] \fB\-\-genre\fP \fIstring\fP

Match an operating system genre by using a passive fingerprinting.

.TP

\fB\-\-ttl\fP \fIlevel\fP

Do additional TTL checks on the packet to determine the operating system.

\fIlevel\fP can be one of the following values:

.IP \(bu 4

0 - True IP address and fingerprint TTL comparison. This generally works for

LANs.

.IP \(bu 4

1 - Check if the IP header's TTL is less than the fingerprint one. Works for

globally-routable addresses.

.IP \(bu 4

2 - Do not compare the TTL at all.

.TP

\fB\-\-log\fP \fIlevel\fP

Log determined genres into dmesg even if they do not match the desired one.

\fIlevel\fP can be one of the following values:

.IP \(bu 4

0 - Log all matched or unknown signatures

.IP \(bu 4

1 - Log only the first one

.IP \(bu 4

2 - Log all known matched signatures

.PP

You may find something like this in syslog:

.PP

Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->

11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4

.PP

OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load

fingerprints from a file, use:

.PP

\fBnfnl_osf -f /usr/share/xtables/pf.os\fP

.PP

To remove them again,

.PP

\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP

.PP

The fingerprint database can be downloaded from

http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .