Inferensys

Glossary

Passive OS Fingerprinting

Passive OS fingerprinting is a network surveillance technique that identifies a remote host's operating system by silently observing subtle, unique characteristics in its TCP/IP stack implementation without sending any probe packets.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
NETWORK TRAFFIC ANALYSIS

What is Passive OS Fingerprinting?

Passive OS fingerprinting is a network reconnaissance technique that identifies a remote host's operating system by silently observing the unique characteristics of its TCP/IP stack implementation without sending any probing packets to the target.

Passive OS fingerprinting is the analysis of TCP/IP stack attributes—such as initial Time-to-Live (TTL), TCP window size, Don't Fragment (DF) flags, and TCP option ordering—in passively observed packets to identify the operating system of a connecting host. Unlike active fingerprinting tools like Nmap, this method generates zero additional network traffic, making it invisible to the target and undetectable by intrusion detection systems. The technique relies on the fact that different operating systems implement the TCP/IP specification with subtle, consistent variations that serve as a unique signature.

Security architects and platform engineers leverage passive fingerprinting within bot management and AI crawler identification pipelines to distinguish legitimate browser traffic from automated scripts. By cross-referencing the observed OS signature against the declared User-Agent string, engineers can detect mismatches—such as a Python script claiming to be Chrome on Windows—that indicate headless browser or scraping activity. Tools like p0f and Zeek integrate this analysis at the network edge, feeding bot score calculations and enabling preemptive blocking of datacenter-originated crawlers.

PASSIVE OS FINGERPRINTING

Key TCP/IP Attributes Analyzed

Passive OS fingerprinting examines specific fields within observed TCP/IP packets to infer the operating system of a remote host without sending any probe traffic. The following attributes form the core signature analyzed by tools like p0f and Wireshark.

01

Initial Time-to-Live (TTL)

The TTL value set in the IP header of the first packet from a host. Different operating systems use distinct default starting values.

  • Linux/Android: Typically starts at 64
  • Windows: Typically starts at 128
  • Cisco/Solaris: Typically starts at 255

By observing the TTL of a received packet and accounting for the number of network hops, you can estimate the original OS. A packet arriving with a TTL of 52 likely originated from a Linux host roughly 12 hops away.

64
Linux Default TTL
128
Windows Default TTL
02

TCP Window Size

The TCP receive window advertised in the SYN or SYN-ACK packet indicates the buffer space the host is willing to accept. This value is highly OS-specific and often remains consistent across versions.

  • Windows: Often uses a window size that is a multiple of MSS (Maximum Segment Size), or specific values like 65535
  • Linux: Tends to use multiples like 29200 or 28960
  • macOS/iOS: Commonly advertises 65535

This field is a cornerstone of passive fingerprinting because it is rarely modified by user applications.

65535
Common macOS/Windows Window
03

Don't Fragment (DF) Flag

The DF bit in the IP header controls whether a packet can be fragmented by routers along the path. The default setting of this flag is a strong OS indicator.

  • Windows: Sets the DF flag to 1 (on) by default for outbound TCP SYN packets
  • Linux: Typically sets the DF flag to 0 (off), allowing fragmentation
  • Network Devices: Often mirror the behavior of their kernel (e.g., Juniper based on FreeBSD)

Combined with TTL and Window Size, the DF flag helps disambiguate signatures between Windows and Linux hosts.

1
Windows DF Flag (On)
0
Linux DF Flag (Off)
04

TCP Options Order & Values

The specific sequence, type, and values of TCP options negotiated in the SYN packet create a unique fingerprint.

  • MSS (Maximum Segment Size): The value itself can indicate the underlying network interface MTU
  • Window Scaling: The multiplier factor (e.g., 7 or 8) is OS-dependent
  • SACK Permitted: Selective Acknowledgment support is standard on modern OSes
  • NOP (No-Operation): The padding bytes used to align options vary in placement
  • Timestamp: The format and frequency of TCP timestamps differ between kernels

The exact order—such as MSS, SACK, Timestamp, NOP, Window Scale—is a classic signature for specific Linux kernels.

4-8
Typical Option Count
05

IP Header ID Generation

The IP Identification field is a 16-bit value used to uniquely identify fragments of a datagram. The algorithm used to generate this ID differs by OS.

  • Windows: Increments the ID by 1 for each packet, regardless of destination
  • Linux: Tends to use a random or zero ID for non-fragmented traffic
  • OpenBSD: Uses a randomized ID for security

A monotonically increasing ID pattern strongly suggests a Windows host, while random or zero IDs point toward Unix-like systems.

Incremental
Windows ID Pattern
Random/Zero
Linux ID Pattern
06

SYN Packet Size

The total length of the initial TCP SYN packet is a quick heuristic for OS identification. Because TCP options vary in length and count, the overall packet size is a reliable aggregate metric.

  • Windows: Often sends a SYN packet of 52 bytes (options like MSS, NOP, Window Scale, NOP, NOP, SACK)
  • Linux: Often sends a SYN packet of 60 bytes (includes Timestamp option)
  • macOS: Typically sends a SYN packet of 64 bytes

This simple size check can immediately narrow down the OS family before deeper inspection.

52 bytes
Windows SYN Size
60 bytes
Linux SYN Size
PASSIVE OS FINGERPRINTING

Frequently Asked Questions

Explore the technical nuances of identifying remote operating systems through passive network traffic analysis, a critical technique for distinguishing legitimate user agents from spoofed AI crawler infrastructure.

Passive OS fingerprinting is a network surveillance technique that identifies a remote host's operating system by silently analyzing the distinct attributes of its TCP/IP stack implementation without sending any probe packets to the target. Unlike active fingerprinting tools like Nmap, which stimulate a response, passive methods observe live traffic flows—such as an incoming HTTP request from an AI crawler—to extract forensic signatures. The process relies on the fact that different operating systems (Linux, Windows, macOS) have unique default values for parameters like the Initial Time-to-Live (TTL) , TCP Window Size, and Don't Fragment (DF) bit behavior. By comparing these observed values against a signature database (such as the p0f fingerprint library), a network sensor can determine with high probability whether a connection originates from a Linux server in a data center or a genuine Windows 10 client, enabling precise bot detection without alerting the crawler.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.