Operating System Fingerprinting Features in Captured Network Packets

Different tools use different parameters for operating system fingerprinting. Even researchers also look for these features to identify certain operating systems.

The most common features are TTL and Window_Size that are implemented with different values across different operating systems. However, there are other features that are used to fingerprint an operating system.

Here, I listed these features from this paper.

1) ver: IP protocol version. 2) ittl: Initial TTL used by the OS. 3) olen: Length of IPv4 options or IPv6 extension headers. 4) Maximum Segment Size (MSS): sometimes specified in TCP Options for segmentation. 5) wsize: Window Size, a fixed random value or a multiple of MSS, of MTU. 6) scale: Window Scaling factor, if specified in TCP Options. 7) olayout: Comma-delimited layout and ordering of TCP Options. For example, no-op option, maximum segment size, window scaling, selective ACK permitted, timestamp. 8) quirks: Comma-delimited properties in IP or TCP headers. 9) pclass: Payload size.

If you want to learn more about fingerprinting tools and processes, go through the following posts of mine:

Passive Operating System Fingerprinting by Analyzing PCAP files

Convert PCAP files to CSV for Network Traffic Analysis

References

1. A Deception Based Approach for Defeating OS and Service Fingerprinting