SYNSCAN.CONF(5)             BSD File Formats Manual            SYNSCAN.CONF(5)

NAME
     synscan.conf - the sessions configuration file for synscan

DESCRIPTION
     synscan(8) is a TCP/IP stack OS fingerprinting and network testing tool
     used to identify the TCP/IP behavioral characteristics of a remote open
     TCP port.

     Sessions define the parameters used to open, pass data, and close a con-
     nection with the remote host. A session is a named entity whose format
     is:

                 session session_name {
                    [session directives]
                 };

GROUPS
     Groups are used by synscan so a number of sessions from the configuration
     file can be run simultaneously while other are not.  A group is defined
     with the format:

                 group group_name {
                    session session_1 {
                       ...
                    };
                    session session_2 {
                       ...
                    };
                    ...
                 };

     When synscan is told to run the group_name group, only session_1 and ses-
     sion_2 will be run, and any other session or group declarations in the
     file are not run.

SESSION DIRECTIVES
     Within a session declaration, all the session directives are parsed in
     order and are used to initialize synscan to run that particular session.
     All directives are terminated with a semi-colon.

     synopts = OPTIONS ;

     The synopts directive is used to configure various parameters in the ini-
     tial TCP SYN segment that opens the connection.  The valid OPTIONS are:

         mss NUM    - the TCP MSS option with NUM as the option value.
         timestamp NUM , NUM - the TCP TIMESTAMP option with two values.
         wscale NUM - the TCP WSCALE option and option value.
         sackok     - the TCP SACKOK option.
         nop        - the NOP padding option.
         win NUM    - Sets the initial advertised TCP window to NUM.
         dfbit      - Sets the DF bit in the IP header, the default is zero.

     Options can appear multiple times and are separated by whitespace.

         Examples:
         synopts = dfbit;
         synopts = mss 256 timestamp 1,0 nop nop sackok nop nop dfbit;

     ackopts = OPTIONS ;

     The ackopts will be appended to every TCP segment sent which is an empty
     acknowledgement (i.e. no payload).  The format is the same as for syn-
     opts.

     3whs | twhs ;

     Tells synscan to perform a full TCP 3-Way Handshake.  Basically, this
     means sending an empty ack after receiving a synack from the remote host.
     If this directive is not present, this ack will not be sent.

     ttlcheck [ delay NUM ] ;

     the ttlcheck directive tells synscan to perform

     close fin | rst | nolastack ;

     The synopts directive is used to configure various parameters in the ini-
     tial TCP SYN segment that opens the connection.

     seg = LENGTH @ OFFSET [ datamask ] ;

     The synopts directive is used to configure various parameters in the ini-
     tial TCP SYN segment that opens the connection.

     frag = LENGTH @ OFFSET [ + ] [ datamask ] ;

     maskwidth = WIDTH ;

     The maskwidth directive adjusts the maskwidth for any data masks with the
     entire session configuration. The units of WIDTH are in bytes and repre-
     sent how many bytes either an 'X' or an 'O' should or should not mask
     out.

     drop INTLIST ;

     The drop directive allows one to simulate packet loss by way of sending
     duplicate acknowledgements upon receipt of certain packets.

     ack all | none ;

     The ack directive specifies that synscan either acknowledge all or none
     of the TCP segments received by synscan.

     policy_name STRING ;

     One can name a policy of some

TIMING DIRECTIVES
     timeout NUM ;

     A session can be configured to timeout (and subsequently fail) after NUM
     seconds with the timeout directive.  This is useful in cases where the
     recieving TCP may not be able to correctly reassemble or receive the data
     sent by the session config.  delay NUM ;

     The delay directive is used to add a delay in milliseconds separate
     either TCP segments or IP fragments configured by the session to send.

         Example:
               session send_frags {
                   3whs;
                   frag 256@0+;
                   delay 100;     # pause 100 ms before continuing
                   frag -@256;
                   close fin;
               };

EXAMPLES
NOTES
     Sessions that have frag or seg fields will be skipped if synscan is told
     to connect to a port for which there is no service definition in the ser-
     vices file.

     Timestamp options can have a zero or non-zero numerical value. a non-zero
     value will always be replaced with the either the current TSval incremen-
     tor or the TSrecent stamp from the server (for the TSecr field).

SEE ALSO
     synscan(8), synscan.services(5)

AUTHORS
     Greg Taleck <taleck@oz.net>

BSD                            November 18, 2003                           BSD