Tenable Nessus Network Monitor Fingerprinting

Tenable uses a hybrid approach to operating system fingerprinting. Primarily, plugins are used to detect and identify the OS of a host. If this is not possible, Tenable Nessus Network Monitor uses detected packets to identify the OS.

Tenable Nessus Network Monitor has the ability to guess the operating system of a host by looking at the packets it generates. Specific combinations of TCP packet entries, such as the window size and initial time-to-live (TTL) values, allow Tenable Nessus Network Monitor to predict the operating system generating the traffic.

These unique TCP values are present when a server makes or responds to a TCP request. All TCP traffic is initiated with a “SYN” packet. If the server accepts the connection, it sends a response known as a “SYN-ACK” packet. If the server cannot or will not communicate, it sends a reset (RST) packet. When a server sends a “SYN” packet, Tenable Nessus Network Monitor applies these list of operating system fingerprints and attempts to determine the operating system type.