The following steps will help you for the OS identification using Scapy:

1. Windows and Linux/Unix operating systems have different TTL starting values that are used by default. This factor can be used to attempt to fingerprint the type of operating system with which you are communicating. These values are summarized in the following table:

2. Some Unix-based systems will start with a default TTL value of 255; however, for simplicity in this exercise, we will use the provided values as the premise for the tasks addressed within this recipe. To analyze the TTL values of a response from the remote system, we first need to build a request. In this example, we will use an Internet Control Message Protocol (ICMP) echo request. To send the ICMP request, we must first build the layers of that request. The first layer we will need to construct is the IP layer:

3. To build the IP layer of our request, we should assign the IP object to the i variable. By calling the display() function, we can identify the attribute configurations for the object. By default, both the sending and receiving addresses are set to the loopback address of 127.0.0.1. These values can be modified by changing the destination address, setting i.dst equal to the string value of the address we wish to scan.

4. By calling the display() function again, we can see that not only has the destination address been updated, but Scapy will also automatically update the source IP address to the address associated with the default interface. Now that we have constructed the IP layer of the request, we should proceed to the ICMP layer:

5. To build the ICMP layer of our request, we will use the same technique we used for the IP layer. In the example provided, the ICMP object was assigned to the ping variable. As discussed previously, the default configurations can be identified by calling the display() function. By default, the ICMP type is already set to echo-request. Now that we have created both the IP and ICMP layers, we need to construct the request by stacking those layers:

6. The IP and ICMP layers can be stacked by separating the variables with a forward slash. These layers can then be set equal to a new variable that will represent the entire request. The display() function can then be called to view the configurations for the request. Once the request has been built, this can then be passed to the sr1() function so that we can analyze the response:

7. This same request can be performed without independently building and stacking each layer. Instead, a single one-line command can be used by calling the functions directly and passing the appropriate arguments to them:

8. Notice that the TTL value of the response from the Linux system had a value of 64. This same test can be performed against the IP address of the Windows system, and the difference in TTL value of the response should be noted:

9. Notice that the response returned by the Windows system had a TTL value of 128. This variation of response can easily be tested in Python:

10. By sending the same requests, the integer equivalent of the TTL value can be tested to determine whether it is less than or equal to 64, in which case, we can assume that the device probably has a Linux/Unix operating system. Otherwise, if the value is not less than or equal to 64, we can assume that the device most likely has a Windows operating system. This entire process can be automated using an executable Python script:

        #!/usr/bin/python

        from scapy.all import *
        import logging
        logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
        import sys

        if len(sys.argv) != 2:
          print "Usage - ./ttl_id.py [IP Address]"
          print "Example - ./ttl_id.py 10.0.0.5"
          print "Example will perform ttl analysis to
           attempt to determine whether the system is Windows
           or Linux/Unix"
          sys.exit()

        ip = sys.argv[1]

        ans = sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0)
        if ans == None:
          print "No response was returned"
        elif int(ans[IP].ttl) <= 64:
          print "Host is Linux/Unix"
        else:
          print "Host is Windows"

11. The provided Python script will accept a single argument, consisting of the IP address that should be scanned. Based on the TTL value of the response returned, the script will then make its best guess of the remote operating system. This script can be executed by changing the file permissions with chmod and then calling it directly from the directory to which it was written: