Tech Q: Possible to Know Type of OS By Length of IP Header or Datagram?

This is kind of nerd-ish, but I heard somewhere that if one examines the packets in network traffic with some type of network “sniffer” that you can tell what kind of operating system (Windows, Unix, etc.) the message came from.

I haven’t heard this before, and I’ve done a lot of Googling for IP header lengths and/or datagram lengths, but can’t find any references that say this value = this operating system.
Any network gurus here know anything about this?

nmap does this, but not by analyzing traffic per se, but by connecting to any open ports and seeing what services are running, what they return, and creating a fingerprint. So, you can port scan a server and figure out what its might be.

As far as analyzing traffic via a passive method, that’s probably possible, but I dont know a turn key solution. You can probably run wireshark and look at the traffic. If you see SMB/CIFS then you can figure out its probably SAMBA on a unix/linux or SMB on Windows. If you run some labs analyzing their handshake you can probably figure out which one is which.

HTTP is similar. The server returns headers stating what OS it is and/or what languages it supports. Im not sure if the web client asking for http headers is typical in an http transaction, but the info is there.

You look at the randomisation in the TCP sequence numbers amongst other things. I’m sure if you google nmap to find the homepage they will explain how they do OS detection.

ETA: BTW the fields in an IP datagram are fixed size essentially so they will be the same regardless of the originating device.

The obvious one is that various O/S’s - windows - anounce themselves periodically with broadcasts. If windows gets into a broswer election - that was essentially described by one tech with a sense of humor as the various windows machines standing around and whipping it out, laying it on the table and seeing whose is bigger: newer OS trumps older, server trumps workstation, Domain Controller trumps regular server, and the longest-running domain controller wins. Master browser keeps the list of what windows machines are on the network.

When an HTTP request is made, various information is sent - like browser type - IE, firefox, safari, etc. - version- various add-ins and their versions, to correctly receive what they need to render the website. One security warning was that this level of detail on your PC was sufficient to uniquely identify many PC’s - almost like DNA, the odds of two PC’s having the exact same SW was pretty low.

If the OP literally means only looking at the IP header and length of datagrams, that won’t tell you what those datagrams contain, be it HTTP inside TCP, Windows-style CIFS stuff, or whatever, apart from what protocol it is, e.g. TCP. It won’t tell you anything about TCP or UDP ports etc.

But I suppose it might be possible that certain types of higher-level traffic tend to produce IP datagrams of a certain length. That would be a neat way of identifying probable upper-level traffic, if it is possible.

If we’re allowed to look at the contents of the datagrams, then yes, big clues there.

Thanks for the information, all! I learned some interesting stuff today.

Think I will go and check out the nmap site, too. Might have some more interesting things I half-understand. :slight_smile:

In case you haven’t found it, here is a direct link to the nmap page on OS detection.

Thanks! First chance I’ve had to find it (that kind of stuff is blockied at work), and here you have saved me the work.

I appreciate your consideration. Many thanks…and on first glance there, I think this NMap sniffer is probably just what I was hearing (or mishearing) about. It’s interesting and I’m going to go now and go through it.