print the operating system of TCP SYN packets with the -o option

5 files changed, 81 insertions, 11 deletions

diff --git a/usr.sbin/tcpdump/Makefile b/usr.sbin/tcpdump/Makefile
index 9eb84ccf8db..defe27e72a4 100644
--- a/usr.sbin/tcpdump/Makefile
+++ b/usr.sbin/tcpdump/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.41 2003/07/17 08:45:37 markus Exp $
+#	$OpenBSD: Makefile,v 1.42 2003/08/21 19:14:23 frantzen Exp $
 #
 #  Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
 # 	The Regents of the University of California.  All rights reserved.
@@ -53,6 +53,13 @@ SRCS=	tcpdump.c addrtoname.c \
 	print-udpencap.c \
 	gmt2local.c savestr.c setsignal.c
 
+# TCP OS Fingerprinting
+.PATH: ${.CURDIR}/../../sys/net
+.PATH: ${.CURDIR}/../../sbin/pfctl
+SRCS+=	pf_osfp.c pfctl_osfp.c
+CFLAGS+=-I${.CURDIR}/../../sbin/pfctl
+CFLAGS+=-DFAKE_PF_KERNEL
+
 #SRCS+=	smbutil.c print-smb.c
 
 AWKS =	atime.awk packetdat.awk send-ack.awk stime.awk
diff --git a/usr.sbin/tcpdump/interface.h b/usr.sbin/tcpdump/interface.h
index 8b7e4a97c2a..87898265d78 100644
--- a/usr.sbin/tcpdump/interface.h
+++ b/usr.sbin/tcpdump/interface.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: interface.h,v 1.39 2003/06/26 21:36:39 deraadt Exp $	*/
+/*	$OpenBSD: interface.h,v 1.40 2003/08/21 19:14:23 frantzen Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -20,7 +20,7 @@
  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
- * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.39 2003/06/26 21:36:39 deraadt Exp $ (LBL)
+ * @(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/interface.h,v 1.40 2003/08/21 19:14:23 frantzen Exp $ (LBL)
  */
 
 #ifndef tcpdump_interface_h
@@ -42,6 +42,7 @@ extern int eflag;		/* print ethernet header */
 extern int fflag;		/* don't translate "foreign" IP address */
 extern int nflag;		/* leave addresses as numbers */
 extern int Nflag;		/* remove domains from printed host names */
+extern int oflag;		/* OS fingerprint */
 extern int qflag;		/* quick (shorter) output */
 extern int Sflag;		/* print raw TCP sequence numbers */
 extern int tflag;		/* print packet arrival time */
diff --git a/usr.sbin/tcpdump/print-tcp.c b/usr.sbin/tcpdump/print-tcp.c
index d28fd983fb6..9b6cd652bdc 100644
--- a/usr.sbin/tcpdump/print-tcp.c
+++ b/usr.sbin/tcpdump/print-tcp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: print-tcp.c,v 1.16 2001/12/23 01:05:15 stevesk Exp $	*/
+/*	$OpenBSD: print-tcp.c,v 1.17 2003/08/21 19:14:23 frantzen Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -23,11 +23,12 @@
 
 #ifndef lint
 static const char rcsid[] =
-    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-tcp.c,v 1.16 2001/12/23 01:05:15 stevesk Exp $ (LBL)";
+    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-tcp.c,v 1.17 2003/08/21 19:14:23 frantzen Exp $ (LBL)";
 #endif
 
 #include <sys/param.h>
 #include <sys/time.h>
+#include <sys/socket.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -35,6 +36,8 @@ static const char rcsid[] =
 #include <netinet/ip_var.h>
 #include <netinet/tcp.h>
 #include <netinet/tcpip.h>
+#include <net/if.h>
+#include <net/pfvar.h>
 
 #include <rpc/rpc.h>
 
@@ -388,6 +391,39 @@ tcp_print(register const u_char *bp, register u_int length,
 		}
 	}
 
+	/* OS Fingerprint */
+	if (oflag && ip6 == NULL && (flags & (TH_SYN|TH_ACK)) == TH_SYN) {
+		struct pf_osfp_enlist *head = NULL;
+		struct pf_osfp_entry *fp;
+		unsigned long left;
+		left = (unsigned long)(snapend - (const u_char *)tp);
+
+		if (left >= hlen)
+			head = pf_osfp_fingerprint_hdr(ip, tp);
+		if (head) {
+			int prev = 0;
+			printf(" (src OS:");
+			SLIST_FOREACH(fp, head, fp_entry) {
+				if (fp->fp_enflags & PF_OSFP_EXPANDED)
+					continue;
+				if (prev)
+					printf(",");
+				printf(" %s", fp->fp_class_nm);
+				if (fp->fp_version_nm[0])
+					printf(" %s", fp->fp_version_nm);
+				if (fp->fp_subtype_nm[0])
+					printf(" %s", fp->fp_subtype_nm);
+				prev = 1;
+			}
+			printf(")");
+		} else {
+			if (left < hlen)
+				printf(" (src OS: short-pkt)");
+			else
+				printf(" (src OS: unknown)");
+		}
+	}
+
 	length -= hlen;
 	if (length > 0 || flags & (TH_SYN | TH_FIN | TH_RST))
 		(void)printf(" %lu:%lu(%d)", (long) seq, (long) (seq + length),
diff --git a/usr.sbin/tcpdump/tcpdump.8 b/usr.sbin/tcpdump/tcpdump.8
index f42801bf4a0..f40eafde937 100644
--- a/usr.sbin/tcpdump/tcpdump.8
+++ b/usr.sbin/tcpdump/tcpdump.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: tcpdump.8,v 1.37 2003/07/17 08:45:37 markus Exp $
+.\"	$OpenBSD: tcpdump.8,v 1.38 2003/08/21 19:14:23 frantzen Exp $
 .\"
 .\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996
 .\"	The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .Nd dump traffic on a network
 .Sh SYNOPSIS
 .Nm tcpdump
-.Op Fl adeflnNOpqStvxX
+.Op Fl adeflnNoOpqStvxX
 .Op Fl c Ar count
 .Op Fl F Ar file
 .Op Fl i Ar interface
@@ -116,6 +116,12 @@ will print
 .Dq nic
 instead of
 .Dq nic.ddn.mil .
+.It Fl o
+Print a guess of the possible operating system(s) of hosts that sent TCP SYN
+packets.
+See
+.Xr pf.os 5
+for a description of the passive operating system fingerprints.
 .It Fl O
 Do not run the packet-matching code optimizer.
 This is useful only if you suspect a bug in the optimizer.
@@ -1214,7 +1220,7 @@ will be of much use to you.
 The general format of a tcp protocol line is:
 .Bd -ragged -offset indent
 .Ar src No \&> Ar dst :
-.Ar flags data\&-seqno ack window urgent options
+.Ar flags src\&-os data\&-seqno ack window urgent options
 .Ed
 .Pp
 .Ar src
@@ -1241,6 +1247,10 @@ or
 or a single
 .Ql \&.
 .Pq no flags .
+.Ar src\&-os
+will list a guess of the source host's operating system if the
+.Ar -o
+command line flag was passed to tcpdump.
 .Ar data\&-seqno
 describes the portion of sequence space covered
 by the data in this packet (see example below).
@@ -1932,6 +1942,7 @@ interrupt.
 .\" traffic(1C), nit(4P),
 .Xr pcap 3 ,
 .Xr bpf 4
+.Xr pf.os 5
 .Sh AUTHORS
 Van Jacobson
 .Pq van@ee.lbl.gov ,
diff --git a/usr.sbin/tcpdump/tcpdump.c b/usr.sbin/tcpdump/tcpdump.c
index 6e0935b47b9..0b5f98eccf5 100644
--- a/usr.sbin/tcpdump/tcpdump.c
+++ b/usr.sbin/tcpdump/tcpdump.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcpdump.c,v 1.32 2003/07/17 08:45:37 markus Exp $	*/
+/*	$OpenBSD: tcpdump.c,v 1.33 2003/08/21 19:14:23 frantzen Exp $	*/
 
 /*
  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -26,7 +26,7 @@ static const char copyright[] =
     "@(#) Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997\n\
 The Regents of the University of California.  All rights reserved.\n";
 static const char rcsid[] =
-    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/tcpdump.c,v 1.32 2003/07/17 08:45:37 markus Exp $ (LBL)";
+    "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/tcpdump.c,v 1.33 2003/08/21 19:14:23 frantzen Exp $ (LBL)";
 #endif
 
 /*
@@ -56,6 +56,13 @@ static const char rcsid[] =
 #include "setsignal.h"
 #include "gmt2local.h"
 
+#include <sys/socket.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <net/pfvar.h>
+#include "pfctl.h"
+#include "pfctl_parser.h"
+
 int aflag;			/* translate network and broadcast addresses */
 int dflag;			/* print filter code */
 int eflag;			/* print ethernet header */
@@ -63,6 +70,7 @@ int fflag;			/* don't translate "foreign" IP address */
 int nflag;			/* leave addresses as numbers */
 int Nflag;			/* remove domains from printed host names */
 int Oflag = 1;			/* run filter code optimizer */
+int oflag;			/* print passive OS fingerprints */
 int pflag;			/* don't go promiscuous */
 int qflag;			/* quick (shorter) output */
 int Sflag;			/* print raw TCP sequence numbers */
@@ -162,7 +170,7 @@ main(int argc, char **argv)
 		error("%s", ebuf);
 
 	opterr = 0;
-	while ((op = getopt(argc, argv, "ac:deE:fF:i:lnNOpqr:s:StT:vw:xXY")) != -1)
+	while ((op = getopt(argc, argv, "ac:deE:fF:i:lnNOopqr:s:StT:vw:xXY")) != -1)
 		switch (op) {
 
 		case 'a':
@@ -215,6 +223,13 @@ main(int argc, char **argv)
 			Oflag = 0;
 			break;
 
+		case 'o':
+			pf_osfp_initialize();
+			if (pfctl_file_fingerprints(-1,
+			    PF_OPT_QUIET|PF_OPT_NOACTION, PF_OSFP_FILE) == 0)
+				oflag = 1;
+			break;
+
 		case 'p':
 			++pflag;
 			break;