Detecting OS fingerprint on open TCP connection?

04-18-2004, 03:02 PM

I know you can detect the OS fingerprint by doing an nmap scan, but I was
curious whether there is any facility in the Linux kernel that can do
remote OS detection on-the-fly, for an open TCP connection.

The reason I ask is I ran into this, from an OpenBSD user:
http://use.perl.org/~merlyn/journal/17094

Now this is very neat... because nearly all spam and viruses arrive through
infected Microsoft Windows hosts (proxies, relays, zombies, etc.) this guy
has used his firewall to impose a total 56k bandwidth restriction for all
mail traffic coming from Windows hosts.

This means that all other mail traffic goes at full speed, while the
transactions with Windows hosts (heavily suspect) proceed very slowly.
During worm outbreaks and spamruns this can save a site significant
bandwidth.

If there were some way to do that on my Linux host, I would give it a try!

--
Jem Berkes
http://www.sysdesign.ca/

04-18-2004, 03:12 PM

Jem Berkes wrote:

> I know you can detect the OS fingerprint by doing an nmap scan, but I
> was curious whether there is any facility in the Linux kernel that can
> do remote OS detection on-the-fly, for an open TCP connection.
>
> The reason I ask is I ran into this, from an OpenBSD user:
> http://use.perl.org/~merlyn/journal/17094
>
> Now this is very neat... because nearly all spam and viruses arrive
> through infected Microsoft Windows hosts (proxies, relays, zombies,
> etc.) this guy has used his firewall to impose a total 56k bandwidth
> restriction for all mail traffic coming from Windows hosts.
>
> This means that all other mail traffic goes at full speed, while the
> transactions with Windows hosts (heavily suspect) proceed very slowly.
> During worm outbreaks and spamruns this can save a site significant
> bandwidth.
>
> If there were some way to do that on my Linux host, I would give it a
> try!
>

Have a look at p0f. That is the underlying package in OpenBSD.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

04-18-2004, 05:54 PM

Jem Berkes <(E-Mail Removed)> wrote in
news:Xns94CF661A22A7Ajbuserspc9org@130.179.16.24:

> I know you can detect the OS fingerprint by doing an nmap scan, but I
> was curious whether there is any facility in the Linux kernel that can
> do remote OS detection on-the-fly, for an open TCP connection.
>
> This means that all other mail traffic goes at full speed, while the
> transactions with Windows hosts (heavily suspect) proceed very slowly.
> During worm outbreaks and spamruns this can save a site significant
> bandwidth.
>
> If there were some way to do that on my Linux host, I would give it a
> try!
>

Hello,

take a look at:
http://www.netfilter.org/patch-o-mat...l#pom-base-osf

It's a port of OpenBSD's opf to Linux as a netfilter module.

--
P.Krumins

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
WiFi mesh - network address associated with fingerprint of thenode's public key?	WZab	Linux Networking	4	02-28-2012 05:34 PM
Re: detecting connection problems in internet explorer	Jan B	Wireless Networks	0	09-17-2010 09:22 PM
detecting wireless networks and creating a new local area connection	badboybobbing	Wireless Internet	1	01-20-2008 12:34 PM
Delay in Detecting that a Tcp Socket Connection (Wireless) is RESET ... Pls Help !	Shashank Welankar	Windows Networking	0	05-19-2004 06:37 AM
Detecting Internet Connection		Broadband Hardware	1	04-04-2004 03:02 AM