On Tue, Jul 01, 2008 at 03:35:02PM +0200, Patrick McHardy (kaber@xxxxxxxxx) wrote: > >It sure would be nice for regular socket applications to have an easy, > >unprivileged way to query the OS fingerprint information of a given > >socket. > > I'm not sure how much OSF depends on the TTL, but doing this > more than one hop away from the host (or without knowledge of > the number of hops) makes using the TTL basically impossible. There are three modes in OSF: LAN where things are simple, no-ttl, where things are even more simpler and false positive, and heueristic mode, which checks ttl, but with some addons. Like if ttl is 31, it is possible that it is OS with initial TTL being equal to 32, and other OS, with initial TTL 48, and whatever other checks succeeded for that cases, determine what OS is. It works quite good in internet not only LAN, since it is frequently only enough to roughly determine initial TTL. > >Another use case is validating whether a browser is "lying" about its > >OS, when parsing HTTP user-agent info, or in general when any remote > >agent is "lying" about its OS. Security software can use that as an > >additional red-flag factor. > > I for one would be much happier to only have netfilter as a user > of this :) Security checkers do like to put its hands into sooo deep places in the stack :) -- Evgeniy Polyakov -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
