how to know the OS with ICMP packets captured on Wireshark?

Posted by

It is not a myth that nowadays with a lot of tools you can get the operating system, hostname, open ports, etc. lots of information with only one scan on any device, but exist other methods that let you know what is the OS of any device according to the TTL of a simple ICMP packet.

Exist a specific list of the TTL (time to live) based on all the operating systems when it was released and you are able to get that information from any host with a simple “ping“, some of them are the same number so with that information you will be able to recognize the family distro (Windows / Linux) for that specific host.

Exist other values that help to recognize more specifically the OS, but we will discuss that later.


Machine 1: Listener

The first machine will need to act as a listener, so, on that machine, you will need to start the Wireshark tool and start capturing the traffic on the specific interface you wants to get information for.

Machine 2: ICMP Packets

The second machine is the machine we want to know the specific TTL to recognize what is the operating system it is using.


Windows: Windows XP/Vista/7/10/Server 2008/Server 2012
Value: 128

Linux: From Kernel 2.0.x/RHEL Red Hat 9
Value: 64


1. Log in to the first machine (Quito) and start the application Wireshark.
2. On Quito, start capturing the traffic on the specific interface you want to monitor.
3. Log in to the second machine (Oslo) and open CMD.
4. On Oslo, please do a ping to Quito. If you want to receive more packets for analysis, please repeat the ping two times.
5. Get back to Quito and analyze the traffic you already captured with Wireshark, please find the packets ICMP and double-click on any of them.

“1058 487.749617 10.10.10.X 10.10.10.X ICMP 74 Echo (ping) reply id=0x0001, seq=10/2560, ttl=128 (request in 1057)”

You will see something similar to that on your Wireshark, there you able to recognize the TTL from that line, ttl=128, but also, if you expand the tab “Internet Protocol Version 4…” and find the parameter “Time to live” you will be able to double check that.

2018-08-06 17_46_11-Module 03_ Scanning Networks

With that information now you are able to recognize the machine you are scanning has Windows as the operating system. The TCP Window Size has a different value for every operating system, will be good to know that value to get exactly the specific version the device is already running, but we will discuss that later.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s