Different tools use different parameters for operating system fingerprinting. Even researchers also look for these features to identify certain operating systems.

The most common features are TTL and Window_Size that are implemented with different values across different operating systems. However, there are other features that are used to fingerprint an operating system.

Here, I listed these features from this paper.

1) ver: IP protocol version. 2) ittl: Initial TTL used by the OS. 3) olen: Length of IPv4 options or IPv6 extension headers. 4) Maximum Segment Size (MSS): sometimes specified in TCP Options for segmentation. 5) wsize: Window Size, a fixed random value or a multiple of MSS, of MTU. 6) scale: Window Scaling factor, if specified in TCP Options. 7) olayout: Comma-delimited layout and ordering of TCP Options. For example, no-op option, maximum segment size, window scaling, selective ACK permitted, timestamp. 8) quirks: Comma-delimited properties in IP or TCP headers. 9) pclass: Payload size.

If you want to learn more about fingerprinting tools and processes, go through the following posts of mine:

Passive Operating System Fingerprinting by Analyzing PCAP files

Convert PCAP files to CSV for Network Traffic Analysis


  1. A Deception Based Approach for Defeating OS and Service Fingerprinting

Leave a comment