CS Enterprise
// cloudshark.org
Guest upload is turned off
Log In
TCP Timestamps for Uptime Calculation
Public Collection
3 Capture Files
File name
Packets
Size
nmap_os_detection_capture_fresh_boot.pcapng
43
5.4 KB
nmap_os_detection_capture_fresh_boot_test.pcapng
3168
332.7 KB
nmap_os_detection_capture_up_9_days.pcapng
43
5.4 KB
Public File
### Uptime Guessing It used to be that TCP Timestamps could be used to [guess how long a system had been up for!](https://nmap.org/book/osdetect-usage.html) Imagine the situation where the clock starts at zero on reboot. When a client connects to the host, it sees the value used in TSval. A subsequent connection would make it possible to deduce the clock frequency, and from there simple math to determine when the timer started! Today however, the TCP timer is typically initialized to a value other than zero at boot time which reduces the effectiveness of this potential fingerprinting technique. We’ve [created this collection of 3 captures](https://www.cloudshark.org/collections/6Y242gqtatqj12ASjphhQw) to illustrate this point.
Watch a video of the Zeek Logs analysis tool in action!