Nmap launches fragmented packets against a target, also known as active fingerprinting . In contrast, passive fingerprinting uses a sniffer to quietly map a network without sending any packets.
Passive fingerprinting works because TCP/IP flag settings are specific to various operating system stacks. These settings vary from one TCP stack implementation to another and include the following:
Initial TTL (8 bits)
Window size (16 bits)
Maximum segment size (16 bits)
"Don't fragment" flag (1 bit)
sackOK option (1 bit)
nop option (1 bit)
Window scaling option (8 bits)
Initial packet size (16 bits)
When combined, these flag settings provide a unique, 67-bit signature for every system. p0f (the passive OS fingerprinting tool) is an example of a passive fingerprinting tool (http://www.stearns.org/p0f/).
p0f performs passive OS fingerprinting based on information from a remote host when it establishes a connection to your system. This works because incoming packets often contain enough information to determine the source OS. Unlike active scanners such as Nmap, p0f can fingerprint without sending anything to the source host. The real advantage is that the source host (i.e., an attacker) is not aware that you are fingerprinting his machine. So even if he is well firewalled, his outgoing packets can betray the name and version of his OS.
p0f was written for Linux, but using cygwin you can run it on almost any version of Windows. The cygwin environment emulates a Unix environment ...