ttmap analysis passively TCP timestamps values in the IP packets Captured. ttMaps passively analyzes values of TCP timestamps in IP packets captured. After collecting enough data, it calculates the characteristic parameters remote machine. These values allow guessing operating systems remotely and identify unique machines behind a single IP address. For example, it can analyze remote IP load-balanced successful initialization clusters.After, ttMaps begins analyzing packets received on the selected network interface. To do this, it uses the libpcap library, which injects captured packets to the ttmap_callback () function.Next, the program checks if it is received by TCP is one and if it has TCP Timestamps Option. If yes, then read ttMaps essential data to and passes it to the process_packet () function. However, if the packet or RST FIN Define the indicator, then a special procedure is called, which deletes all data on the connection is closed, if any.The process_packet () function corresponds to a single packet to a connection TCP. It checks if the number of packets collected in a single connection is sufficient, and if it is, control is passed to the identify_connection () function.Now, ttMaps has enough samples of packages that have been received of a single remote machine to find the proportionality Factor (the sleight of hand), whether the parameter, and system startup time, whether the parameter b. For best results, the program uses linear regression from the GNU Scientific Library. Provided that the quality values obtained is quite good, which is discussed later, an internal database of information has already identified some of the machines are asked to calculate the characteristics of the remote system. If it does nothing to a remote machine is detected, if there is a match, then machine a and b are parameters fixed by value.Due average of various delays and fluctuations that packets traversing the Internet could make the subject of the data obtained can be of low quality, ie. there will be no linear function corresponding collected (time, TCP timestamp) points. Thus, for best results, only the points close enough to the line of best fit should be regarded as significant. The program checks whether ttMaps ratio of covariance (return GSL) and obtained a parameter is small enough. A similar situation occurs when querying the internal database to match the machine - here, the user program in May to set acceptable "delta" for a and b parameters.When a new remote machine is detected, a message of Information is printed on standard output. This message contains a machine parameter, with a corresponding proposal remote operating system, and parameters B, with the likely time when the remote machine has been activated (in the local TimeZone).