Distinguish Win95 from Win98/NT with ICMP-TTL-field

[Robert Siemer <siemer () i309 hadiko de>]

Hello all!

Are more services in nmap-services interesting? I know at least rsync
(rsync.samba.org), qmqp (www.qmail.org) mysqld, httpsd and junkbuster 
(www.junkbuster.com). Well know is also rpc.mountd, with some ports over
800...

But why I'm writing this mail is: even before I used nmap, I determined
the OS of a site with a simple "ping". I looked at the TTL-field for a
simple check. So I found out:

Win95:          32
Linux 2.0.x:    64
Win98/NT:       128
Linux 2.2.x:    255
(of course we have to substract some routers between us and the target...)

I think it is possible to change the behavior in Linux 2.2.x in
/proc/somewhere - but its good enought for a guess, isnt it?

Bye,
        Rob


PS: In the man-page stands something about "-d" while reading about
"-v"...