TSeq: The Class Attribute
The TSeq Class attribute refers to the predictability of a remote device's TCP initial sequence number (ISN). Many of these class attributes also include more detailed attributes to assist nmap in matching a fingerprint.
Amazingly, this fingerprint attribute describes an ISN that is the same value with every SYN/ACK. This class refers to a constant (C) number, and it will often include a Val attribute that represents the constant ISN value that is always seen from the remote device.
A fingerprint with Class=64K describes devices that have an initial sequence number that increases by 64,000 with each SYN/ACK.
These i800 devices have ISNs that increase by a fixed increment of 800 with each SYN/ACK.
Some systems, including Windows-based devices, increase the initial sequence number by a fixed amount during a specific time period. This time dependent (TD) model often includes fingerprint attributes based on the greatest common divisor (gcd) and a sequence index (SI) of the initial sequence number.
The random increments (RI) class describes a series of ISNs that increment, but there is no method of predicting the sequence number. This class often includes fingerprint attributes based on the greatest common divisor (gcd) and a sequence index (SI) of the initial sequence number.
If the initial sequence numbers are shown to be completely random, they are fingerprinted with the truly random (TR) class.
TSeq: The IPID Attribute
The IPID attribute refers to the IP identification bytes in the IP header. These values provide important information, since the IPID can be used for non-standard purposes. Nmap's idlescan is an example of how a predictable IPID can have unintended uses.
In rare instances, some systems provide IPIDs that are always a constant (C) number.
A system matching the Incremental (I) fingerprint increases the IPID by a standard increment with each sent packet.
The broken incremental (BI) fingerprint refers to a system (usually Windows-based) that increases by 256 each time a packet is sent. This is probably caused by an unintentional error in Microsoft's IP stack, but it's still a predictable error.
The random positive integral (RPI) fingerprint is based on an IPID that increases each time a packet is sent, but the increase is by an apparently random amount.
Random distributions (RD) are fingerprint references that identify IPIDs that increase or decrease randomly each time a packet is sent.
In some cases, the IPID will always be a zero (Z) value.
TSeq: Timestamp Option Sequencing
The TCP timestamp option is a standard method of calculating round-trip time between stations, documented in RFC 1323. However, this exact change in timestamp values will vary between operating systems. These variances can be identified and fingerprinted with the timestamp attributes.
Nmap looks for the change in timestamp each second and attempts to categorize it into five separate groups:
If the returned timestamp is zero, nmap categorizes it as a zero () TCP timestamp sequence.
A timestamp sequence that increases twice in one second is defined as 2HZ. Nmap uses the abbreviation for hertz, HZ, to reference the number of frequencies per cycle. In this case, HZ refers to the number of timestamps incremented per second.
If a timestamp increases by 100 every second, it's assigned a TS reference of 100HZ.
An increase of one thousand timestamps per second is categorized as 1000HZ.
If any remote device does not return a timestamp, it's fingerprinted as an unsupported system (U).