Different tools use different parameters for operating system fingerprinting. Even researchers also look for these features to identify certain operating systems.
The most common features are
Window_Size that are implemented with different values across different operating systems. However, there are other features that are used to fingerprint an operating system.
Here, I listed these features from this paper.
1) ver: IP protocol version. 2) ittl: Initial TTL used by the OS. 3) olen: Length of IPv4 options or IPv6 extension headers. 4) Maximum Segment Size (MSS): sometimes specified in TCP Options for segmentation. 5) wsize: Window Size, a fixed random value or a multiple of MSS, of MTU. 6) scale: Window Scaling factor, if specified in TCP Options. 7) olayout: Comma-delimited layout and ordering of TCP Options. For example, no-op option, maximum segment size, window scaling, selective ACK permitted, timestamp. 8) quirks: Comma-delimited properties in IP or TCP headers. 9) pclass: Payload size.
If you want to learn more about fingerprinting tools and processes, go through the following posts of mine: