Tenable uses a hybrid approach to operating system fingerprinting. Primarily, plugins are used to detect and identify the OS of a host. If this is not possible, NNM uses detected packets to identify the OS.
NNM has the ability to guess the operating system of a host by looking at the packets it generates. Specific combinations of TCP packet entries, such as the window size and initial time-to-live (TTL) values, allow NNM to predict the operating system generating the traffic.
These unique TCP values are present when a server makes or responds to a TCP request. All TCP traffic is initiated with a “SYN” packet. If the server accepts the connection, it sends a response known as a “SYN-ACK” packet. If the server cannot or will not communicate, it sends a reset (RST) packet. When a server sends a “SYN” packet, NNM applies these list of operating system fingerprints and attempts to determine the operating system type.
Tenable Network Security has permission to re-distribute the passive operating fingerprints from the author of SinFP open source project.