drop a pcap file · reconstruct the operating system of every host from tcp/ip stack behavior · ttl values · window sizes · tcp options ordering · ip flag patterns · no active probing · identify os from existing captured traffic · runs locally
pcap
drop pcap
or click
SYN packets only · p0f-style TTL + window + TCP options
drop pcap · passive SYN fingerprinting