Inferensys

Glossary

TCP/IP Stack Fingerprinting

A passive OS fingerprinting technique that analyzes subtle variations in TCP header fields, such as initial window size and TTL values, to identify the operating system of a connecting scraper.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
PASSIVE OS DETECTION

What is TCP/IP Stack Fingerprinting?

TCP/IP stack fingerprinting is a passive reconnaissance technique that identifies a remote host's operating system by analyzing subtle, unique variations in its network protocol implementation.

TCP/IP stack fingerprinting is a passive OS detection method that inspects deviations in a host's TCP header fields—such as initial window size, Time to Live (TTL) values, and the Don't Fragment (DF) bit—to identify the underlying operating system. Because RFC specifications allow for implementation ambiguity, each OS exhibits a unique network signature.

Unlike active scanning, this technique silently observes incoming SYN packets without sending probes, making it invisible to the target. By matching observed parameters against a signature database like p0f, security infrastructure can identify headless Linux scrapers or cloud-based bots attempting to mimic legitimate browser traffic.

TCP/IP Stack Analysis

Key Characteristics of Passive Fingerprinting

Passive fingerprinting identifies a remote operating system by silently observing subtle, unique variations in the TCP/IP stack implementation without sending any probe packets to the target host.

01

Initial Window Size

The TCP receive window size advertised in the initial SYN or SYN-ACK packet is a highly distinctive fingerprinting vector. Different operating systems use different default values:

  • Linux (kernel 2.6+): 5840 bytes
  • Windows 10/11: 65535 bytes (with scaling)
  • macOS: 65535 bytes
  • FreeBSD: 65535 bytes

This value is set by the kernel at compile time and is rarely modified by applications, making it a reliable passive signature even when other TCP options are normalized.

02

Time to Live (TTL) Analysis

The IP TTL field reveals the initial hop limit set by the sending OS, which decrements by one per router hop. By measuring the TTL of received packets and estimating the hop distance, you can infer the original value:

  • Linux/Unix: Initial TTL of 64
  • Windows: Initial TTL of 128
  • Cisco IOS: Initial TTL of 255
  • Solaris: Initial TTL of 255

A packet arriving with TTL 52 likely originated from a Linux host ~12 hops away. This passive metric requires no interaction and works even through NAT gateways.

03

TCP Option Ordering

The sequence and presence of TCP options in SYN packets form a unique OS signature. Each operating system arranges options like Maximum Segment Size (MSS), Window Scaling, Selective Acknowledgments (SACK), and Timestamps in a specific order:

  • Windows: MSS, NOP, Window Scale, NOP, NOP, SACK Permitted
  • Linux: MSS, SACK Permitted, Timestamp, NOP, Window Scale
  • macOS/iOS: MSS, SACK Permitted, Timestamp, Window Scale

Even when the same options are present, the ordering byte sequence acts as a passive fingerprint that firewalls rarely normalize.

04

Don't Fragment (DF) Flag Behavior

The DF bit in the IP header indicates whether a packet may be fragmented in transit. Operating systems exhibit distinct default behaviors:

  • Linux: Sets DF bit on most TCP packets by default (enables Path MTU Discovery)
  • Windows: Sets DF bit on all outbound TCP segments
  • Older Solaris: Often clears DF bit

Observing whether the DF flag is consistently set across a connection provides a passive signal. Combined with the Maximum Segment Size value, this forms part of the p0f fingerprinting signature database.

05

SYN Packet Retransmission Timing

When a SYN packet is lost, the retransmission timeout (RTO) algorithm and backoff pattern differ by OS. By passively observing retransmitted SYN intervals, you can fingerprint the stack:

  • Linux: Uses a fine-grained timer with exponential backoff starting at ~1 second
  • Windows: Initial RTO of 3 seconds, then exponential backoff
  • BSD variants: Typically start at 3 seconds with a different multiplier

This passive timing analysis requires no active probing and works against hosts that never complete the TCP handshake, making it valuable for identifying scanners and scrapers.

06

Passive Fingerprinting Tools

Several mature tools implement passive TCP/IP stack fingerprinting for network defense and bot detection:

  • p0f: The de facto standard passive OS fingerprinting tool using SYN packet signatures; maintains a comprehensive fingerprint database
  • Ettercap: Includes passive fingerprinting as part of its network analysis suite
  • NetworkMiner: A network forensics tool that extracts OS metadata from captured PCAP files
  • Zeek (formerly Bro): Network security monitor with passive fingerprinting plugins

These tools analyze the same TCP header fields—TTL, window size, option order, and flags—to identify connecting hosts without generating traffic.

DETECTION METHODOLOGY

Passive vs. Active Fingerprinting

Comparison of passive observation techniques versus active probing methods for identifying the operating system and software stack of connecting clients.

FeaturePassive FingerprintingActive Fingerprinting

Detection Mechanism

Observes existing traffic without interaction

Sends crafted probe packets to elicit responses

Network Footprint

Zero additional packets generated

Generates probe traffic to target host

Detectability

Undetectable by target

Easily detected by IDS/IPS systems

Real-time Analysis

Works on Stale Captures

Accuracy Rate

85-92%

95-99%

Requires Bidirectional Traffic

Firewall Evasion

High

Low

TCP/IP STACK FINGERPRINTING

Frequently Asked Questions

Explore the technical nuances of passive OS detection through TCP/IP stack analysis, a critical technique for identifying and mitigating unauthorized scraping infrastructure.

TCP/IP stack fingerprinting is a passive network reconnaissance technique that identifies a remote host's operating system by analyzing subtle, unique variations in its TCP/IP implementation. Unlike active scanning, it does not send probes but silently observes incoming packets. The technique works by extracting specific values from TCP and IP headers—such as the Initial Time-to-Live (TTL), TCP Window Size, Don't Fragment (DF) bit, and TCP Options (like Maximum Segment Size, Window Scaling, and Selective Acknowledgments). Each operating system has a default set of these parameters, forming a unique signature. For example, a Linux kernel might default to a TTL of 64 and a window size of 29200, while a Windows Server might use a TTL of 128 and a window size of 65535. Tools like p0f compare these observed values against a signature database to determine the OS, enabling security engineers to identify headless scraping bots running on Linux servers in a data center.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.