Mike Frantzen recently committed OS fingerprinting capabilities to PF, OpenBSD's stateful packet filter, based on Michal Zalewski's p0f (passive OS fingerprinting) code. The functionality was also added to tcpdump. From the p0f README. . .
Mike Frantzen recently committed OS fingerprinting capabilities to PF, OpenBSD's stateful packet filter, based on Michal Zalewski's p0f (passive OS fingerprinting) code. The functionality was also added to tcpdump. From the p0f README:

"The passive OS fingerprinting technique is based on information coming from a remote host when it tries to establish a connection to your system. Captured packet parameters contain enough information to identify the remote OS. In contrast to active scanners such as nmap and queSO, p0f does this without sending anything to the remote host."

Mike points out that it is very easy to spoof a TCP stack to make one OS appear as if it's really another, so this new functionality is not a security feature. Instead, it's intended as a policy feature... For Mike's announcement email which includes a few quick examples of how this functionality might be used, read on.

The link for this article located at KernelTrap is no longer available.