fingerprinting traffic from smartphone mobile hotspot

Question

Is it possible to detect whether certain TCP or UDP traffic is generated and processed directly by an Android mobile phone itself, or is being tethered to a different machine?

With HTTP, detection is relatively simple -- just look at the User-Agent string in the requests, and there is a certain likelihood to see some sort of a revealing pattern.

What about the discreet protocols, like https, ssh, IPsec, OpenVPN etc? Is it possible to detect the originator OS based on the TCP/UDP headers or content?

How would one masquerade the traffic to avoid detection through the passive fingerprinting of the encrypted protocols?

For example, if the mobile phone is running Android 2.2, and is tethered to OS X or OpenBSD, which TCP/UDP and https/ssh/IPsec/OpenVPN parameters would reveal the non-Android OS?

Answer 1

you can do analysis based on TTL, TCP ISN etc. http://www.cse.sc.edu/~wyxu/papers/wisec66-schulz.pdf‎ contains a detailed analysis

Answer 2

You appear to be looking for TCP/IP stack fingerprinting software.

P0f, which stands for "passive Operating System fingerprinting," observes packets at the TCP level and makes assumptions about the OS based on the network stack implementation. P0f does this passively, meaning that it does not need to interact with the client.

The p0f site has an example with which you can check your own fingerprint. Note that many mobile web providers run through proxies, which tends to mean that the proxy is what is fingerprinted rather than the client.

See also the EFF's Panopticlick project, which shows that pretty much every web browser is uniquely fingerprintable, even when blocking cookies. Please do not abuse fingerprinting to invade users' privacy.