This going to be key enough information for TCP/IP learner.

TCP has a random seq number that need exist in each of it's packet. Each OS has it's own way to come up with this "Random" number. this leave us space to Detect . "fingerPrinting" which OS is  packets been sent from. Each packet transfer on internet are content of either TCP or UDP or ICMP, for user.  for routing purpose, there are other like BGP/RIP those work above Layer 2 and below application layer.  when our data are transfered from end to end,  anything below Layer 2 could be changed by switch or router, but unlikely layer 3 's content be altered.  so this leave us some space to use to different purpose.  TCP fingerPrinting is one of them.

The purpose of TCP fingureprinting is to identify the operation system of a device.  about why you need to know this information is another story, we can talk later. in this topic, we only talk about why this technology work.

We need to read some text before give details.  as usual :)

Reference:

>>>.Reliability:

The TCP must recover from data that is damaged, lost, duplicated, or

delivered out of order by the internet communication system.  This

is achieved by assigning a sequence number to each octet

transmitted, and requiring a positive acknowledgment (ACK) from the

receiving TCP.  If the ACK is not received within a timeout

interval, the data is retransmitted.  At the receiver, the sequence

numbers are used to correctly order segments that may be received

out of order and to eliminate duplicates.  Damage is handled by

adding a checksum to each segment transmitted, checking it at the

receiver, and discarding damaged segments

Since connections must be established between unreliable hosts and

over the unreliable internet communication system, a handshake

mechanism with clock-based sequence numbers is used to avoid

erroneous initialization of connections.

>>>>>>>>>>>>>>>>>>>

Notice the line with bold font ?  two key information here 1. Each TCP packet have to have a SEQ number.  2. this SEQ number generated by OS, not by application, not by hardware, not by user, it is "suggested" to be "clock-based".   this is interesting.   because we know for sure, each OS have their own way to generate TIME and Random.   when you gather enough packet from one end , you can match the logic of the packet's SEQ to how it is generated.  and this lead to OS detection.

SO  it is "SEQ"------"Gather packet" ---- OS detection.

Ref: http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting

TRANSMISSION CONTROL PROTOCOL http://www.ietf.org/rfc/rfc793.txt

http://nmap.org/book/osdetect-methods.html

Tools: Nmap