> Os passive fingerprinting is typically done with ICMP type 8's as well > as TCP SYN packets. Its possible to do it with SYN/ACKs, but its not > easy. Read documentation about xprobe2. It describes the techniques used by this modular os fingerprinting scanner. http://www.sys-security.com/html/projects/X.html The most often used characteristics are explaind in the documentation of the configuration file of xprobe2. Including ttl of icmp issued by udp packets sent to closed ports, invalid checksum in older *bsd, the amount of data echoed back in icmp errors. Echoing of flags in various headers, etc... Regards, Maciej
