Several scanners have the capability for operating system fingerprinting. This is done by sending strange packets at the system in order to gauge how it responds. It is the network equivelant of saying "Sprechen Sie Deutsch?" in order to "fingerprint" the language somebody speaks. Some methods for active fingerprinting are:
- ICMP
- Anthony Osborne published a paper in AUG'98 on fingerprinting systems by their response to ICMP packets. ICMP are special control messages that don't contain normal data.
- TCP options
- nmap will fingerprint according to options in TCP headers.
- TCP flags
- queseo will fingerprint according to flags in TCP headers.
- TCP ports
- sscan will fingerprint according to simple packets sent to ports 1-5.
Similiar to active fingerprinting, passive fingerprinting is based on the principle that every operating system's IP stack has its own idiosyncrasies:
