Passive OS fingerprinting look for peculiarities in TCP SYN packets, try to deduce sender's operating system completely passive (no packets/probes generated), cheap good detection precision (considering it's passive), but easily spoofable, not a security feature! What real uses are there (beyond OS bigotry)? e.g. queueing or redirecting instead of blocking e.g. stop worms spread by Windows hosts rdr on $ext_if proto tcp from any to any port 25 -> 127.0.0.1 port 8025