There are several techniques for remotely fingerprinting operating systems via network traffic. They can be divided broadly into two categories: active and passive.
The term operating system fingerprinting is a bit of a misnomer, as the term really refers to network stack fingerprinting. Because network stacks vary from OS to OS, the corresponding operating systems can be inferred by fingerprinting the network stack.
With its user-contributed database of over 1,600 OS fingerprints, Nmap's
-O option is probably the best-known active OS fingerprinting implementation. Nmap primarily utilizes the vagaries of TCP to guess the identity of remote operating systems, especially these:
The way a target ...