Passive OS fingerprinting is a technique used to discover what OS is running on a host without actively probing it by sending packets. This is particularly useful when you're sniffing some traffic and need to know what OS a particular machine is using.
Here is the link to an absolutely stellar paper by Toby Miller. It includes sample sniffed output from various OS's. Be warned, you should have a firm understanding of networking and how a raw packet looks before reading this paper. Its not for the weak hearted.
This technique is different from what many port/vulnerability scanners such as nMap (
) use to 'fingerprint' a remote host. Here, no packets are sent to the host being interrogated, making this a particularly stealthy detection method.
Some admins use this technique to gather information on attackers.. more on this later.