A tool that has the ability to remotely identify the operating system (OS) version of a target networked device is useful to both network managers and security analysts charged with protecting the network. An operating system identification tool can provide significant contextual information, and is even more valuable if it doesn’t disrupt network traffic and can’t normally be detected.

The Network Security Research Group at the Communication Research Centre (CRC) has developed a series of tests for passively detecting operating systems, and has implemented a prototype software tool as a proof of concept. The tool is called the Multi-packet State-aware Passive Operating system Characterization (M.SPOC). The approach is based on the analysis of packet headers at the data-link, network, and transport layers, thus the tool does not rely on access to application data. Over a dozen tests have been developed to analyse headers of packets seen on a network. The tests are conducted on various types of protocol headers: ARP, IP, ICMP, UDP, and TCP. M.SPOC goes beyond individual packet analysis commonly used in open source and commercial operating system identification tools. The uniqueness of this approach is in the use of lightweight state-aware mechanisms to derive signatures from multiple packets.

Over 200 versions of operating systems among the most popular OS families were installed and queried methodically in our testbed and M. SPOC was used to collect and store the signatures observed.

Further details can be found here