TOC & Recently Viewed

Recently Viewed Topics

NNM Fingerprinting

Tenable uses a hybrid approach to operating system fingerprinting. Primarily, plugins are used to detect and identify the OS of a host. If this is not possible, NNM uses detected packets to identify the OS.

NNM has the ability to guess the operating system of a host by looking at the packets it generates. Specific combinations of TCP packet entries, such as the window size and initial time-to-live (TTL) values, allow NNM to predict the operating system generating the traffic.

These unique TCP values are present when a server makes or responds to a TCP request. All TCP traffic is initiated with a “SYN” packet. If the server accepts the connection, it sends a response known as a “SYN-ACK” packet. If the server cannot or will not communicate, it sends a reset (RST) packet. When a server sends a “SYN” packet, NNM applies these list of operating system fingerprints and attempts to determine the operating system type.

Tenable Network Security has permission to re-distribute the passive operating fingerprints from the author of SinFP open source project.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.