TCP/IP browser fingerprinting (also called passive OS fingerprinting) is when a web server or network observer looks at low-level network details from your device’s TCP/IP stack to help identify or track you. These details come from how your operating system and network software build and send packets - things a normal webpage’s JavaScript can’t easily change.

When your computer talks to a website it sends network packets. Those packets carry tiny technical signals - for example, packet sizes, default flags, Time-To-Live (TTL) values, TCP window sizes, initial sequence number behavior, and which TCP options (MSS, timestamps, SACK) are used. The pattern of those signals is often unique enough to serve as a fingerprint for your device or OS.

Key Network Attributes Used

• TTL (Time-To-Live) value
• TCP window size and how it scales
• Initial sequence number patterns
• Presence & ordering of TCP options (MSS, SACK, Timestamps)
• IP packet size and fragmentation behavior
• DF (Don't Fragment) flag, DF/MTU behavior
  These are implementation details from the OS/network stack - not from the browser code.

Why TCP/IP Browser Fingerprint matters for privacy / fingerprinting

• These low-level traits are stable and often consistent across sessions, so they can help link visits from the same device even if cookies are cleared.
• Unlike browser APIs (canvas, fonts, etc.), TCP/IP traits come from the operating system and network drivers, so browser-side spoofing is limited.
• An attacker or analytics service observing network traffic (server side or on-path) can combine TCP/IP signals with other fingerprints to make tracking more reliable.

What Kameleo Does

TCP/IP fingerprinting relies on network stack properties that are hard to alter. Kameleo focuses on realistic browser fingerprint masking - aligning signals like TLS, headers, fonts, and User-Agent with real-world patterns. This consistency minimizes mismatches, making profiles appear natural and harder to detect.