Nmap's algorithm for detecting matches is relatively simple. It
takes a subject fingerprint and tests it
against every single reference fingerprint in
nmap-os-db
.
When testing against a reference fingerprint, Nmap looks at each
probe category line from the subject fingerprint (such as
SEQ
or T1
) in turn. Any probe
lines which do not exist in the reference
fingerprint are skipped. When the reference fingerprint does have a
matching line, they are compared.
For a probe line comparison, Nmap examines every individual test
(R
, DF
, W
,
etc.) from the subject category line in turn. Any tests which do
not exist in the reference line are skipped.
Whenever a matching test is found, Nmap increments the
PossiblePoints
accumulator by the number of points
assigned to this test. Then the test values are compared. If the
reference test has an empty value, the subject test only matches if
its value is empty too. If the reference test is just a plain string
or number (no operators), the subject test must match it exactly. If
the reference string contains operators (|
,
-
, >
, or
<
), the subject must match as described in the section called “Test expressions” If a test matches, the
NumMatchPoints
accumulator is incremented by the
test's point value.
Once all of the probe lines are tested for a fingerprint, Nmap
divides NumMatchPoints
by
PossiblePoints
. The result is a confidence factor
describing the probability that the subject fingerprint matches that
particular reference fingerprint. It is treated as a percentage, so
1.00
is a perfect match while
0.95
is very close.
Test point values are assigned by a special
MatchPoints
entry (which may only appear once) in
nmap-os-db
. This entry looks much like a
normal fingerprint, but instead of providing results for each test, it
provides point values (non-negative integers) for each test. Tests
listed in the MatchPoints
structure only apply when
found in the same test they are listed in. So a value given for the
W
(Window size) test in T1
doesn't affect the W
test in T3
.
An example MatchPoints
structure is given in Example 8.7, “The MatchPoints structure”
Example 8.7. The MatchPoints structure
MatchPoints
SEQ(SP=25%GCD=75%ISR=25%TI=100%II=100%SS=80%TS=100)
OPS(O1=20%O2=20%O3=20%O4=20%O5=20%O6=20)
WIN(W1=15%W2=15%W3=15%W4=15%W5=15%W6=15)
ECN(R=100%DF=20%T=15%TG=15%W=15%O=15%CC=100%Q=20)
T1(R=100%DF=20%T=15%TG=15%S=20%A=20%F=30%RD=20%Q=20)
T2(R=80%DF=20%T=15%TG=15%W=25%S=20%A=20%F=30%O=10%RD=20%Q=20)
T3(R=80%DF=20%T=15%TG=15%W=25%S=20%A=20%F=30%O=10%RD=20%Q=20)
T4(R=100%DF=20%T=15%TG=15%W=25%S=20%A=20%F=30%O=10%RD=20%Q=20)
T5(R=100%DF=20%T=15%TG=15%W=25%S=20%A=20%F=30%O=10%RD=20%Q=20)
T6(R=100%DF=20%T=15%TG=15%W=25%S=20%A=20%F=30%O=10%RD=20%Q=20)
T7(R=80%DF=20%T=15%TG=15%W=25%S=20%A=20%F=30%O=10%RD=20%Q=20)
U1(R=50%DF=20%T=15%TG=15%TOS=50%IPL=100%UN=100%RIPL=100%RID=100%RIPCK=100%↵
RUCK=100%RUL=100%RUD=100)
IE(R=50%DFI=40%T=15%TG=15%TOSI=25%CD=100%SI=100%DLI=100)
Once all of the reference fingerprints have been evaluated, Nmap
orders them and prints the perfect matches (if there aren't too many).
If there are no perfect matches, but some are very close, Nmap may
print those. Guesses are more likely to be printed if the
--osscan_guess
option is given.