TCP/IP stack fingerprinting is a passive OS detection method that inspects deviations in a host's TCP header fields—such as initial window size, Time to Live (TTL) values, and the Don't Fragment (DF) bit—to identify the underlying operating system. Because RFC specifications allow for implementation ambiguity, each OS exhibits a unique network signature.
Glossary
TCP/IP Stack Fingerprinting

What is TCP/IP Stack Fingerprinting?
TCP/IP stack fingerprinting is a passive reconnaissance technique that identifies a remote host's operating system by analyzing subtle, unique variations in its network protocol implementation.
Unlike active scanning, this technique silently observes incoming SYN packets without sending probes, making it invisible to the target. By matching observed parameters against a signature database like p0f, security infrastructure can identify headless Linux scrapers or cloud-based bots attempting to mimic legitimate browser traffic.
Key Characteristics of Passive Fingerprinting
Passive fingerprinting identifies a remote operating system by silently observing subtle, unique variations in the TCP/IP stack implementation without sending any probe packets to the target host.
Initial Window Size
The TCP receive window size advertised in the initial SYN or SYN-ACK packet is a highly distinctive fingerprinting vector. Different operating systems use different default values:
- Linux (kernel 2.6+): 5840 bytes
- Windows 10/11: 65535 bytes (with scaling)
- macOS: 65535 bytes
- FreeBSD: 65535 bytes
This value is set by the kernel at compile time and is rarely modified by applications, making it a reliable passive signature even when other TCP options are normalized.
Time to Live (TTL) Analysis
The IP TTL field reveals the initial hop limit set by the sending OS, which decrements by one per router hop. By measuring the TTL of received packets and estimating the hop distance, you can infer the original value:
- Linux/Unix: Initial TTL of 64
- Windows: Initial TTL of 128
- Cisco IOS: Initial TTL of 255
- Solaris: Initial TTL of 255
A packet arriving with TTL 52 likely originated from a Linux host ~12 hops away. This passive metric requires no interaction and works even through NAT gateways.
TCP Option Ordering
The sequence and presence of TCP options in SYN packets form a unique OS signature. Each operating system arranges options like Maximum Segment Size (MSS), Window Scaling, Selective Acknowledgments (SACK), and Timestamps in a specific order:
- Windows: MSS, NOP, Window Scale, NOP, NOP, SACK Permitted
- Linux: MSS, SACK Permitted, Timestamp, NOP, Window Scale
- macOS/iOS: MSS, SACK Permitted, Timestamp, Window Scale
Even when the same options are present, the ordering byte sequence acts as a passive fingerprint that firewalls rarely normalize.
Don't Fragment (DF) Flag Behavior
The DF bit in the IP header indicates whether a packet may be fragmented in transit. Operating systems exhibit distinct default behaviors:
- Linux: Sets DF bit on most TCP packets by default (enables Path MTU Discovery)
- Windows: Sets DF bit on all outbound TCP segments
- Older Solaris: Often clears DF bit
Observing whether the DF flag is consistently set across a connection provides a passive signal. Combined with the Maximum Segment Size value, this forms part of the p0f fingerprinting signature database.
SYN Packet Retransmission Timing
When a SYN packet is lost, the retransmission timeout (RTO) algorithm and backoff pattern differ by OS. By passively observing retransmitted SYN intervals, you can fingerprint the stack:
- Linux: Uses a fine-grained timer with exponential backoff starting at ~1 second
- Windows: Initial RTO of 3 seconds, then exponential backoff
- BSD variants: Typically start at 3 seconds with a different multiplier
This passive timing analysis requires no active probing and works against hosts that never complete the TCP handshake, making it valuable for identifying scanners and scrapers.
Passive Fingerprinting Tools
Several mature tools implement passive TCP/IP stack fingerprinting for network defense and bot detection:
- p0f: The de facto standard passive OS fingerprinting tool using SYN packet signatures; maintains a comprehensive fingerprint database
- Ettercap: Includes passive fingerprinting as part of its network analysis suite
- NetworkMiner: A network forensics tool that extracts OS metadata from captured PCAP files
- Zeek (formerly Bro): Network security monitor with passive fingerprinting plugins
These tools analyze the same TCP header fields—TTL, window size, option order, and flags—to identify connecting hosts without generating traffic.
Passive vs. Active Fingerprinting
Comparison of passive observation techniques versus active probing methods for identifying the operating system and software stack of connecting clients.
| Feature | Passive Fingerprinting | Active Fingerprinting |
|---|---|---|
Detection Mechanism | Observes existing traffic without interaction | Sends crafted probe packets to elicit responses |
Network Footprint | Zero additional packets generated | Generates probe traffic to target host |
Detectability | Undetectable by target | Easily detected by IDS/IPS systems |
Real-time Analysis | ||
Works on Stale Captures | ||
Accuracy Rate | 85-92% | 95-99% |
Requires Bidirectional Traffic | ||
Firewall Evasion | High | Low |
Frequently Asked Questions
Explore the technical nuances of passive OS detection through TCP/IP stack analysis, a critical technique for identifying and mitigating unauthorized scraping infrastructure.
TCP/IP stack fingerprinting is a passive network reconnaissance technique that identifies a remote host's operating system by analyzing subtle, unique variations in its TCP/IP implementation. Unlike active scanning, it does not send probes but silently observes incoming packets. The technique works by extracting specific values from TCP and IP headers—such as the Initial Time-to-Live (TTL), TCP Window Size, Don't Fragment (DF) bit, and TCP Options (like Maximum Segment Size, Window Scaling, and Selective Acknowledgments). Each operating system has a default set of these parameters, forming a unique signature. For example, a Linux kernel might default to a TTL of 64 and a window size of 29200, while a Windows Server might use a TTL of 128 and a window size of 65535. Tools like p0f compare these observed values against a signature database to determine the OS, enabling security engineers to identify headless scraping bots running on Linux servers in a data center.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
TCP/IP stack fingerprinting is one component of a broader passive reconnaissance toolkit. These related techniques combine to form a robust bot identification and mitigation strategy.
Browser Fingerprinting
A stateless identification method that combines unique device attributes to generate a stable, persistent identifier. Techniques include:
- Canvas fingerprinting: Rendering a hidden image to detect GPU/driver variations
- WebGL fingerprinting: Probing the graphics stack for vendor-specific quirks
- Font enumeration: Detecting the set of installed system fonts
- AudioContext fingerprinting: Analyzing subtle audio processing differences These signals are combined into a hash that persists across incognito modes and cookie clearing.
Headless Browser Detection
Identifies automated browsing environments like Puppeteer, Playwright, and Selenium by probing for missing browser features and automation artifacts. Detection methods include:
- Checking
navigator.webdriverproperty (set totruein automated modes) - Analyzing JavaScript engine inconsistencies in headless vs. headed modes
- Detecting missing plugin arrays or mime types
- Probing for rendering artifacts absent in user-driven browsers
- Monitoring for zero-millisecond interaction delays impossible for humans
Behavioral Biometrics
Analyzes human interaction patterns to differentiate organic behavior from scripted automation. Key signals include:
- Mouse movement trajectories: Natural ballistic curves vs. linear paths
- Keystroke dynamics: Variable inter-key delays vs. uniform typing speed
- Touch pressure and gesture patterns: Inconsistent pressure vs. uniform taps
- Scroll behavior: Variable acceleration vs. programmatic instant scrolling These passive signals are collected client-side and analyzed by machine learning models to assign a human probability score to each session.
Honeypot Traps
A defensive mechanism that embeds elements invisible to human users but discoverable by automated parsers. Common implementations include:
- Hidden links with
display: noneorvisibility: hiddenCSS - Invisible form fields placed off-screen via absolute positioning
- Decoy pagination links that only bots follow
- Honeytoken data seeded in HTML comments Any client that interacts with these traps is programmatically flagged as a bot, as human users cannot see or click them.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us