This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Passive OS identification

0

hi.If we want to identify a computer's OS, A simple but effective passive method is to inspect

Initial TTL (8 bits)
Window size (16 bits)
Max segment size (16 bits)
Window scaling value (8 bits)
don't fragment flag (1 bit)
sackOK flag (1 bit)
nopflag (1 bit)

Below are some typical initial TTL values and window sizes of common operating systems:

Linux (kernel 2.4 and 2.6)  64  5840
Google's customized Linux   64  5720
FreeBSD 64  65535
Windows XP  128 65535
Windows 7, Vista and Server 2008    128 8192
Cisco Router (IOS 12.4) 255 4128

can any one help me to find other parameters(Max segment size,don't fragment flag,...) for these common operating systems? can TTL values and window sizes get initial by different values mention here?

This question is marked "community wiki".

asked 22 Jun '17, 08:52

ghader's gravatar image

ghader
61141620
accept rate: 0%


One Answer:

1

Take a look at the open-source nmap tool. Its OS fingerprint database covers 2600+ fingerprints.

If all you want is "something that does fingerprinting", nmap is pretty solid.

If, however, you want to dig into the actual mechanics of OS fingerprints, you can look at nmap's database without installing the tool.

Raw fingerprint data here -> https://svn.nmap.org/nmap/nmap-os-db

Explanation of nmap-os-db fingerprint format -> https://nmap.org/book/osdetect-fingerprint-format.html

answered 22 Jun '17, 11:00

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%