How can I detect OS by sniffing network traffic?

Question

Is it possible to sniff a network (WLAN) and find out what operating system are installed on network clients (PCs/Phones etc)?

I am using Ubuntu.

Answer 1

nmap has the ability to guess the operating system by looking at variations in how a device reacts to TCP/IP probes (see the nmap website for details).

You can also make a guess at the identity of a device by looking at who its MAC address was allocated to. For example, something with an address in a Hewlett-Packard block is probably a network printer.

Answer 2

If you are able to monitor the network, and assuming that the clients are not network devices like routers that may hide behind them other devices, it is possible to determine (with some accuracy) what operating system the device owning that IP address has just by monitoring what IPs that device connects to.

For instance, a device that connects regularly to IPs and looks up DNS for known Microsoft Update servers could be running a flavor of Windows. Same goes for Ubuntu, if said IP address connects regularly to a Ubuntu update server.

This, of course, precludes things like the device having an automated script that connects to many types of servers, in order to befuddle this kind of analysis.

Answer 3

Try p0f http://lcamtuf.coredump.cx/p0f3/ this is a passive fingerprinter which determines the OS by looking at characteristics in the network traffic.

Answer 4

From your question I understood that you want to use Passive sniffing. So, you can sniff ICMP reply packets, since default OS types can vary by their TTL values. But, if the value has changed, this may not be good choice. If so, I also suggest using @Mark s answer. Using nmap with OS detection would be much better. ;)