path: root/extensions/
diff options
Diffstat (limited to 'extensions/')
1 files changed, 45 insertions, 0 deletions
diff --git a/extensions/ b/extensions/
new file mode 100644
index 00000000..ea616a90
--- /dev/null
+++ b/extensions/
@@ -0,0 +1,45 @@
+The osf module does passive operating system fingerprinting. This modules
+compares some data (Window Size, MSS, options and their order, TTL, DF,
+and others) from packets with the SYN bit set.
+[\fB!\fP] \fB\-\-genre\fP \fIstring\fP
+Match an operating system genre by using a passive fingerprinting.
+\fB\-\-ttl\fP \fIlevel\fP
+Do additional TTL checks on the packet to determine the operating system.
+\fIlevel\fP can be one of the following values:
+.IP \(bu 4
+0 - True IP address and fingerprint TTL comparison. This generally works for
+.IP \(bu 4
+1 - Check if the IP header's TTL is less than the fingerprint one. Works for
+globally-routable addresses.
+.IP \(bu 4
+2 - Do not compare the TTL at all.
+\fB\-\-log\fP \fIlevel\fP
+Log determined genres into dmesg even if they do not match the desired one.
+\fIlevel\fP can be one of the following values:
+.IP \(bu 4
+0 - Log all matched or unknown signatures
+.IP \(bu 4
+1 - Log only the first one
+.IP \(bu 4
+2 - Log all known matched signatures
+You may find something like this in syslog:
+Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: ->
+ hops=3 Linux [2.5-2.6:] : -> hops=4
+OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
+fingerprints from a file, use:
+\fBnfnl_osf -f ./pf.os\fP
+To remove them again,
+\fBnfnl_osf -f ./pf.os -d\fP
+The fingerprint database can be downlaoded from
+ .