SAM(April 3, 2008) - We send out about 20 or so ARP packets, listen to what comes back and try to fingerprint it based on that data. A little change from Satori in that it is an active scanner vs passive.
Satori(July, 2010) - Uses WinPCap (almost all testing has been done with 4.1 beta 5 recently). This program listens on the wire for all traffic and does OS Identification based on what it sees. Main things it works to identify are: Windows Machines, HP devices (that use HP Switch Protocol), Cisco devices (that do CDP packets), IP Phones (that send out Skinny packets), and a lot of DHCP related stuff recently, plus some other things. Still early on, will make many changes and will add whatever features are requested, so just send them with packet captures if possible!
Download the zipped file, unextract, run the update.exe and grab the latest files.
Satoril - Linux version(September, 2009) - Uses LibPCap, does TCP and DHCP fingerprinting. The windows versions little brother. Doesn't support nearly as many protocols and is cmd line.
Old SoftwareLots of other stuff has been taken offline over the years due to space. If there is something you know I wrote and want to look at let me know.
http://myweb.cableone.net/xnih/mortalx.htm
