PrivKitPrivKit
Full ScanIP Lookup
All Guides
Fingerprinting

TCP/IP Fingerprinting and OS Detection

Learn how your operating system can be identified from TCP/IP packet characteristics like TTL, window size, and MSS.

6 min readFebruary 11, 2026

Introduction

TCP/IP fingerprinting identifies your operating system by analyzing low-level network packet characteristics. Unlike User-Agent strings which are trivially spoofed, TCP parameters are set by the OS kernel and are much harder to fake.

How TCP/IP Fingerprinting Works

When your computer initiates a TCP connection (SYN packet), the packet header contains several OS-dependent values:

  • TTL (Time-To-Live): Windows typically uses 128, Linux 64, macOS 64. The initial TTL reveals the OS family.
  • Window Size: The initial TCP window size varies by OS and version. Windows 10/11 uses 65535, while Linux varies by kernel version.
  • MSS (Maximum Segment Size): Usually 1460 for Ethernet. Values below 1460 often indicate VPN or tunnel overhead.
  • TCP Options: The order, combination, and values of TCP options (SACK, timestamps, window scaling, NOP) differ significantly between operating systems.
  • Don't Fragment (DF) flag: Most modern OS set DF by default, but the pattern varies with other parameters.

p0f — Passive OS Fingerprinting

The p0f tool, created by Michal Zalewski, is the most well-known passive fingerprinting tool. It maintains a database of OS signatures based on SYN packet characteristics. PrivKit uses a custom Go implementation that matches against the p0f signature database.

Key advantages of passive fingerprinting:

  • Requires no JavaScript — works at the network level
  • Cannot be blocked by browser extensions
  • Works even through VPNs and proxies
  • Zero performance impact on the target

VPN Detection via MTU Analysis

VPN tunnels add overhead to each packet (encapsulation headers). This reduces the effective MTU, which shows up as a reduced MSS in TCP SYN packets:

  • Normal Ethernet: MSS = 1460 (MTU 1500)
  • WireGuard: MSS ≈ 1380 (MTU 1420)
  • OpenVPN: MSS ≈ 1370-1390
  • IPSec: MSS ≈ 1350-1400

By detecting an MSS significantly below 1460, servers can infer that a user is connecting through a VPN — even without seeing the encrypted tunnel itself.

OS Mismatch Detection

One of the most powerful uses of TCP fingerprinting is cross-referencing it with the browser's User-Agent string. If the UA claims “Windows 10” but the TCP fingerprint matches Linux, the user is likely spoofing their User-Agent — a common indicator of bots or privacy tools.

Mitigation

TCP fingerprinting is extremely difficult to prevent because the values are set by the OS kernel:

  • Tor: Normalizes TCP parameters across all exit nodes
  • Custom kernel tuning: Advanced users can modify sysctl values on Linux to change TTL, window size, etc.
  • Consistent UA: Ensure your User-Agent matches the OS your TCP stack reveals

Check Your TCP Fingerprint

Run a Full Privacy Scan on PrivKit to see your TCP/IP fingerprint, detected OS, and whether it matches your User-Agent. We also detect VPN usage from MTU analysis.

Check Your Privacy Now

Run PrivKit's comprehensive scan to see how these concepts apply to your browser right now.

Start Free Scan
Browse all guides →