This going to be key enough information for TCP/IP learner.
TCP has a random seq number that need exist in each of it's packet. Each OS has it's own way to come up with this "Random" number. this leave us space to Detect . "fingerPrinting" which OS is packets been sent from. Each packet transfer on internet are content of either TCP or UDP or ICMP, for user. for routing purpose, there are other like BGP/RIP those work above Layer 2 and below application layer. when our data are transfered from end to end, anything below Layer 2 could be changed by switch or router, but unlikely layer 3 's content be altered. so this leave us some space to use to different purpose. TCP fingerPrinting is one of them.
The purpose of TCP fingureprinting is to identify the operation system of a device. about why you need to know this information is another story, we can talk later. in this topic, we only talk about why this technology work.
We need to read some text before give details. as usual :)
The TCP must recover from data that is damaged, lost, duplicated, or
delivered out of order by the internet communication system. This
is achieved by assigning a sequence number to each octet
transmitted, and requiring a positive acknowledgment (ACK) from the
receiving TCP. If the ACK is not received within a timeout
interval, the data is retransmitted. At the receiver, the sequence
numbers are used to correctly order segments that may be received
out of order and to eliminate duplicates. Damage is handled by
adding a checksum to each segment transmitted, checking it at the
receiver, and discarding damaged segments
Since connections must be established between unreliable hosts and
over the unreliable internet communication system, a handshake
mechanism with clock-based sequence numbers is used to avoid
erroneous initialization of connections.
Notice the line with bold font ? two key information here 1. Each TCP packet have to have a SEQ number. 2. this SEQ number generated by OS, not by application, not by hardware, not by user, it is "suggested" to be "clock-based". this is interesting. because we know for sure, each OS have their own way to generate TIME and Random. when you gather enough packet from one end , you can match the logic of the packet's SEQ to how it is generated. and this lead to OS detection.
SO it is "SEQ"------"Gather packet" ---- OS detection.
TRANSMISSION CONTROL PROTOCOL http://www.ietf.org/rfc/rfc793.txt