LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-03-2009, 06:11 PM   #1
tomekp
LQ Newbie
 
Registered: Jun 2004
Location: Poland
Distribution: Centos, Fedora
Posts: 27

Rep: Reputation: 16
Question OS Fingerprinting: How to force linux to be identified as windows


Long story: I'm having problems with my internet connection. I have two systems installed on my box - Linux and Windows. When I'm running windows, my network connection speed is about 500 kb/s. When I'm on Linux or using a router, speed drops to 20 kb/s. I have never seen this kind of behaviour before. Maybe I'm wrong, but I suspect that my ISP does something strange with my connection depending on the OS I use.
To prove my theory I've installed Osfuscate on Windows and set it to act like Linux. Speed dropped from 500 kb/s to 150 kb/s. Next thing I'd like to do is to force Linux to be identified as Windows. I've found some settings:
Code:
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
But I'm afraid that's not enough to trick nmap.
Help would be very apprecieated. Or maybe someone knows why my network speed is dependent on the OS?
Thanks in advance
 
Old 10-04-2009, 01:35 AM   #2
everest40
Member
 
Registered: Jul 2008
Distribution: Ubuntu $LATESTVERSION
Posts: 160

Rep: Reputation: 64
Have you tried contacting your ISP about this? It sounds to me like you're not getting the service you're paying for, and you've got some evidence that the problem is in fact at their end. 20 kb/s is slower than my old dial-up Internet connection.
 
Old 10-04-2009, 02:08 AM   #3
tomekp
LQ Newbie
 
Registered: Jun 2004
Location: Poland
Distribution: Centos, Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
Yes, I wrote a message to ISP yesterday. But my provider really sucks - it's impossible to contact the administrator because it's weekend :/ Unfortunately changing ISP is not possible.
Anyway, I'd like to investigate a little bit on my own, to be perfectly sure, that my speed problem is not my fault. The question remains: How do I force Linux to be identified as Windows?
 
Old 10-04-2009, 02:27 AM   #4
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Dont think you can do it. Fingerprinting relies on subtle nuances in how the stack handles certain situations.

How are you measuring the bandwidth? Are you passively sniffing the entire line with a different machine or using a local bandwidth measuring tool on just the traffic you're expecting? Perhaps there is some other process that is using up the line (bit torrent, botnet, etc)

I dont understand the motivation an ISP would have to limit bandwidth based on an OS.
 
Old 10-04-2009, 07:43 AM   #5
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
Block all ports then the ISP can't identify the OS at all. Browse through privoxy, which can be set to identify your system as whatever you choose.
 
Old 10-04-2009, 08:04 AM   #6
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Quote:
Originally Posted by jiml8 View Post
Block all ports then the ISP can't identify the OS at all. Browse through privoxy, which can be set to identify your system as whatever you choose.
Not true. There are techniques to passively identify an OS, especially if you're a MITM... and browsing through privoxy only allows you to sanitize higher layers. If the privoxy server is on the linux machine, then it's still going to be using the linux stack to forward the requests at the lower levels.

But then, it really depends on what (if they really are) criteria they are using to make the determination. Is it only http traffic that's slowing down? If yes, then privoxy just might be the answer. If it's everything, including VPN traffic, then certainly not.

Last edited by JulianTosh; 10-04-2009 at 08:07 AM. Reason: clarification
 
Old 10-04-2009, 01:39 PM   #7
tomekp
LQ Newbie
 
Registered: Jun 2004
Location: Poland
Distribution: Centos, Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
I'll try to describe everything as clear as I can.
My internet connection works at full speed (500 kb/s) only in one situation - when cable is connected directly to my box and the OS is Windows. When the OS is Linux, speed drops to 20 kb/s. When I try to use router (I've checked Linksys WRT54GL with three different firmwares and D-Link DI-604) speed drops to 20 kb/s - no matter which OS I'm running. But there's one exception - ssh works at full speed, always.
I'm sure it's not some service or torrent choking my connection. I've checked 3 distros - Centos, Fedora and Debian (fresh installation). I measure speed in a very simple way - I'm downloading a file from ISP test page (with firefox) or file from server in my company (ftp or ssh).
In my opinion there's nothing wrong with my configuration - I've checked my computer and routers with different ISP, everything works fine. That's why I think that my ISP is choking my connection. Why? I have no idea. Maybe tommorow I'll get some answers.
 
Old 10-04-2009, 09:16 PM   #8
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
There is no reason why the download speed should depend on OS.
You need to check with the ISP to find out what is happening.
 
Old 10-05-2009, 01:27 AM   #9
tomekp
LQ Newbie
 
Registered: Jun 2004
Location: Poland
Distribution: Centos, Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
Simon Bridge: I agree. There's no reason why download should depend on OS. But it's theoretically possible. And from my point of view, it is happening to me Please, correct me if my conclusions are wrong.
 
Old 10-05-2009, 09:18 PM   #10
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Hi.

"I measure speed in a very simple way - I'm downloading a file from ISP test page (with firefox) or file from server in my company (ftp or ssh)"

Firefox gives OS identification. FTP client as well.

First of all, when next time you will check speed under windows, try to find out how many connection your browser or ftp client opens to server. It can be more then one, and then compare with linux.
I use OpenSuse, and I do it because under linux internet works much, much better then under windows.

What I think, that it is may be default tcp/ip configuration or other default network configuration.
All linux's distributions have different default configurations, so you have to read about it on their web sites.
500 kb/s = 62 KB/s - it is not big speed.
Check ethernet card settings - full/half duplex, negotiation ...
 
Old 10-06-2009, 04:14 AM   #11
tomekp
LQ Newbie
 
Registered: Jun 2004
Location: Poland
Distribution: Centos, Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
nimnull22: I've checked several distros including livecd's (redhat based, debian based). And saying kb/s i meant kilobytes/s - my mistake.
Anyway, today my ISP is sending his worker to fix the problem.
 
Old 10-07-2009, 08:38 PM   #12
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Well done - this suggests that your isp is not throttling your bandwidth based on OS. (At least, not deliberately.) Let us know how it goes.
 
Old 10-08-2009, 03:41 AM   #13
tomekp
LQ Newbie
 
Registered: Jun 2004
Location: Poland
Distribution: Centos, Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
Ok, the situation looks like this. Yesterday technician came to fix my issue. He checked my configuration then phoned the administrator. He was told, that the cable is the source of the problem. And only Windows can handle this kind of crossover cable. He also said something about gigabit ethernet cards. I don't know the details - I haven't spoken to administrator directly and I didn't have time to ask to many questions.
For me it all looks a bit weird, but I'm no guru. Now I'm waiting for someone to replace the cable - to the one, that will be linux-compatible
 
Old 10-08-2009, 12:27 PM   #14
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Hi.

They confuse you. Linux much flexible then windows. If you connect you comp, there should not be crossover ehternet cable, which normally uses only between routers or switches. It may be some problems with configuration ethernet cards (your comp. and port in their router), but in linux by default everything should be in "auto". You can manually set it to use 100BaseT: ETHTOOL_OPTIONS='speed 100 duplex full autoneg on wol d' (add it to ifcfg_ethX).
 
Old 10-12-2009, 04:01 AM   #15
tomekp
LQ Newbie
 
Registered: Jun 2004
Location: Poland
Distribution: Centos, Fedora
Posts: 27

Original Poster
Rep: Reputation: 16
miracle! yesterday everything started to work, without replacing cable or any configuration change on my side. i guess my isp found the source of the problem somewhere else, but he didn't bother to let me know what was it. anyway, i'm glad i finally have my net fixed. and thank you all for your help.
 
  


Reply

Tags
identification, passive, tcp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Passive OS Fingerprinting stringZ Linux - Networking 1 07-09-2008 05:53 PM
os fingerprinting adityaj123 Linux - Security 5 03-17-2008 09:45 AM
Graphics card not identified by linux linuxhaze Suse/Novell 6 02-06-2005 09:30 AM
block OS fingerprinting bentman78 Linux - Security 12 06-21-2004 08:47 AM
OS Fingerprinting and IPtables cirrusgr Linux - Networking 2 12-07-2002 06:48 PM


All times are GMT -5. The time now is 08:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration