Inconsistencies
Where a client's self-declaration disagrees with what its connection actually proved at the wire. A User-Agent is a claim anyone can set; the TLS, TCP, and HTTP/2 fingerprints below are measured from the bytes. Disagreement is the classic signal of automation dressed as a browser — though VPNs, proxies, privacy tools, and shared fingerprints produce honest mismatches too, so these are leads, not verdicts. Each check scans every co-observed pairing on record (display capped at 500 per check).
Browser claim vs. tool fingerprint
A User-Agent claiming a mainstream browser, observed with a TLS ClientHello the JA4+ database identifies as a non-browser tool (curl, a C2 agent, a library). The TLS stack is far harder to forge convincingly than the User-Agent header.
| fingerprint | User-Agent | claims | wire shows | confidence | seen | first seen | last seen | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like M… | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 508 | 2026-06-11 | 2026-07-02 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 9 | 2026-06-16 | 2026-07-02 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 3 | 2026-07-01 | 2026-07-01 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-07-02 | 2026-07-02 |
Browser claim vs. measured captures
A User-Agent claiming a browser the catalog has measured, at a version inside the measured range, whose TLS fingerprint is consistent with none of this site's controlled captures of that browser. Where the check above leans on an external label, this one is grounded in measurement. The comparison is layered: a fingerprint differing from a capture only in handshake-variant extensions (session resumption, 0-RTT, session tickets, padding) counts as consistent and is not shown; a differing cipher list is the stronger lead (medium); matching ciphers with a differing extension or signature-algorithm set is weaker (low) — most often a field-trial, ECH, or build variant not yet captured. It sharpens as catalog coverage broadens.
| fingerprint | User-Agent | claims | wire shows | confidence | seen | first seen | last seen | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
t13d1517h2_8daaf6152771_dcad5a053991 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 71 | 2026-06-16 | 2026-07-01 | ||||||||||
q13d0313h3_55b375c5d22e_fc7519ff7bc2 |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 29 | 2026-06-16 | 2026-07-01 | ||||||||||
t13d1715h2_5b57614c22b0_a54fffd0eb61 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 18 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1714h2_5b57614c22b0_53a6d0ab1c42 |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 12 | 2026-06-17 | 2026-07-01 | ||||||||||
t13d311200_e8f1e7e78f70_d339722ba4af |
Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/… | User-Agent claims Firefox 142.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 7 | 2026-06-23 | 2026-07-02 | ||||||||||
t13d1610h2_86a278354501_1b18b669d02d |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 7 | 2026-07-02 | 2026-07-02 | ||||||||||
t12d180700_4b22cbed5bed_2dae41c691ec |
Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… | User-Agent claims Firefox 143.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 6 | 2026-06-19 | 2026-07-01 | ||||||||||
t13d1517h2_8daaf6152771_cb7bf5808d99 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 150.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 5 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1616h2_86a278354501_eeeea6562960 |
Mozilla/5.0 (Android 16; Mobile; rv:152.0) Gecko… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 5 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d1517h2_8daaf6152771_3cbfd9057e0d |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 5 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d1617h2_86a278354501_3e9721a6796e |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 5 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1716h2_6e7903f2cb1b_0c27189014cf |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 4 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1714h2_5b57614c22b0_53a6d0ab1c42 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1616h2_86a278354501_eeeea6562960 |
Mozilla/5.0 (Android 17; Mobile; rv:151.0) Gecko… | User-Agent claims Firefox 151.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d260900_6d1bcf7a4624_188c7f576dcd |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.0.0 | TLS cipher list matches no measured Chrome captureThe offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 4 | 2026-06-23 | 2026-07-01 | ||||||||||
t13d1615h2_86a278354501_ccb9c18a2635 |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1511h2_8daaf6152771_b9003e5c3fb3 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 3 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1515h2_8daaf6152771_a54fffd0eb61 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac… | User-Agent claims Safari 26.0 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 3 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d1714h1_5b57614c22b0_43ade6aba3df |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… | User-Agent claims Firefox 150.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1616h2_86a278354501_eeeea6562960 |
Mozilla/5.0 (Android 13; Mobile; rv:152.0) Gecko… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 2 | 2026-07-02 | 2026-07-02 | ||||||||||
t12d520500_26e41e4f9c7e_22a92d800fe4 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Edge 149.0.0.0 | TLS cipher list matches no measured Edge captureThe offered TLS cipher suites match no controlled capture of Edge. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Safari 26.3 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d2013h2_a09f3c656075_7f0f34a4126d |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Firefox 151 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
q13d0311h3_55b375c5d22e_f2a83c8e78ae |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Firefox 151 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1514h2_8daaf6152771_53a6d0ab1c42 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
q13d0312h3_55b375c5d22e_178839b6cec1 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 150.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d311000_e8f1e7e78f70_1f22a2ca17c4 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.7827.201 | TLS cipher list matches no measured Chrome captureThe offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d1717h2_6e7903f2cb1b_3cbfd9057e0d |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1615h2_86a278354501_5c2c66f702b0 |
Mozilla/5.0 (Android 17; Mobile; rv:151.0) Gecko… | User-Agent claims Firefox 151.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Firefox 148.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1616h2_86a278354501_60e8a95ece10 |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d181300_e8a523a41297_43ade6aba3df |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Chrome 149.0.7827.200 | TLS cipher list matches no measured Chrome captureThe offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Safari 26.2 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims Safari 26.1 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1715h2_5b57614c22b0_a54fffd0eb61 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d521100_b262b3658495_8e6e362c5eac |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Edge 149.0.0.0 | TLS cipher list matches no measured Edge captureThe offered TLS cipher suites match no controlled capture of Edge. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1713h1_ab0a1bf427ad_ecd0401ec68b |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Firefox 148.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1816h2_e8a523a41297_0c27189014cf |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1812h1_85036bcba153_b26ce05bbdd6 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Chrome 148.0.0.0 | TLS cipher list matches no measured Chrome captureThe offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-02 | 2026-07-02 | ||||||||||
q13d0311h3_55b375c5d22e_653d80c3fe9d |
Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac… | User-Agent claims Safari 26.0 | TLS extensions or signature algorithms differ from every measured Safari captureThe cipher suites match Safari, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d1516h2_8daaf6152771_9a55b862dad6 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Chrome 150.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-07-01 | 2026-07-01 |
OS claim vs. TCP stack
A User-Agent's claimed operating system against the initial TTL of its TCP SYN. An initial TTL of 64 is Unix-like (Linux, macOS, iOS, Android, BSD); 128 is Windows. A "Windows" User-Agent arriving on a TTL-64 stack — or vice versa — is inconsistent, subject to the proxy/NAT caveats above.
| fingerprint | User-Agent | claims | wire shows | confidence | seen | first seen | last seen | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) … | User-Agent claims macOS | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 60 | 2026-06-13 | 2026-07-02 | ||||||||
4:43+21:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 57 | 2026-07-01 | 2026-07-02 | ||||||||
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 57 | 2026-07-01 | 2026-07-02 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 11; moto g power (20… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 30 | 2026-06-25 | 2026-07-01 | ||||||||
4:50+14:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 11 | 2026-07-01 | 2026-07-02 | ||||||||
4:48+16:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 10 | 2026-07-02 | 2026-07-02 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 8 | 2026-07-01 | 2026-07-02 | ||||||||
4:117+11:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … | User-Agent claims macOS | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-07-01 | 2026-07-01 | ||||||||
4:51+13:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-07-01 | 2026-07-02 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-06-27 | 2026-07-02 | ||||||||
4:57+7:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 57+7 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-07-01 | 2026-07-02 | ||||||||
4:48+16:0:9174:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-07-01 | 2026-07-01 | ||||||||
6:55+9:0:1392:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-07-01 | 2026-07-01 | ||||||||
4:41+23:0:1460:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-07-02 | 2026-07-02 | ||||||||
6:53+11:0:1376:8192,2:mss,nop,ws,nop,nop,sok::0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-07-02 | 2026-07-02 | ||||||||
4:51+13:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-07-02 | 2026-07-02 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-07-01 | 2026-07-01 | ||||||||
4:51+13:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-25 | 2026-07-02 | ||||||||
4:54+10:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-02 | 2026-07-02 | ||||||||
6:46+18:0:1432:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:54+10:0:1452:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:44+20:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-02 | 2026-07-02 | ||||||||
6:47+17:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-28 | 2026-07-01 | ||||||||
4:54+10:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:65535,6:mss,nop,ws,nop,nop,ts,sok,eol+1:df,ecn:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:52+12:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-28 | 2026-07-01 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-17 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-02 | 2026-07-02 | ||||||||
4:48+16:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-02 | 2026-07-02 | ||||||||
4:47+17:0:1380:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:52+12:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-02 | ||||||||
4:49+15:0:1460:mss*29,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-26 | 2026-07-02 | ||||||||
4:115+13:0:1460:mss*44,9:mss,nop,nop,sok,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:45+19:0:1452:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:114+14:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … | User-Agent claims macOS | TCP SYN initial TTL 114+14 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) … | User-Agent claims macOS | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-02 | ||||||||
4:41+23:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:55+9:0:1410:mss*46,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-02 | 2026-07-02 | ||||||||
4:53+11:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-02 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; trendi… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-02 | ||||||||
4:109+19:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … | User-Agent claims macOS | TCP SYN initial TTL 109+19 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:51+13:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/2010… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1380:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:38+26:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 38+26 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:54+10:0:1460:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:38+26:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 38+26 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:40+24:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 40+24 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:48+16:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:52+12:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:43+21:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:43+21:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1340:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1340:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:111+17:0:1400:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 111+17 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:111+17:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 111+17 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:50+14:0:1452:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:46+18:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:50+14:0:1440:mss*45,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Geck… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1452:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:112+16:0:1320:65535,12:mss,nop,ws,sok,ts:id-:0 |
Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like M… | User-Agent claims iOS | TCP SYN initial TTL 112+16 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:55+9:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-02 | 2026-07-02 | ||||||||
4:52+12:0:1440:mss*45,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Geck… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:42+22:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-02 | 2026-07-02 | ||||||||
6:42+22:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-02 | 2026-07-02 | ||||||||
4:54+10:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-02 | 2026-07-02 | ||||||||
6:45+19:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-02 | 2026-07-02 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:49+15:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:48+16:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:47+17:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:50+14:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:45+19:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:45+19:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:51+13:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1412:65535,6:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:52+12:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) … | User-Agent claims macOS | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:55+9:0:1370:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:38+26:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 38+26 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:115+13:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:115+13:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:55+9:0:1460:mss*29,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1460:mss*10,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1460:65535,6:mss,nop,ws,nop,nop,ts,sok,eol+1:df,ecn:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:43+21:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:39+25:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 39+25 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1260:mss*52,6:mss,nop,nop,sok,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:116+12:0:1460:mss*44,9:mss,nop,nop,sok,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:57+7:0:1440:mss*30,9:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 57+7 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:54+10:0:1440:65535,10:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:43+21:0:1440:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:39+25:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/2010… | User-Agent claims Windows | TCP SYN initial TTL 39+25 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1452:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:41+23:0:1460:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:53+11:0:1440:65535,14:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:51+13:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:57+7:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 57+7 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:44+20:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:50+14:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 |
Bot claim vs. published operator ranges
A User-Agent declaring a major bot — a search or AI crawler or a user-triggered fetcher — observed from an IP outside the ranges that operator publishes for it, or inside a different operator's ranges. Unlike the checks above, this is not a wire-vs-claim contradiction: it is the self-declared identity against the operator's own authoritative published list. An IP the operator does not list, arriving under its bot's name, is almost always an impersonator — scrapers spoof crawlers to dodge rate limits and earn crawler treatment. The consistent side (an IP inside the published range) appears as a "published range match" on the fingerprint page, not here.
| User-Agent | claims | from network | published ranges show | confidence | seen | first seen | last seen | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | Googlebot | AS24940 Hetzner Online GmbH | Outside Googlebot's published rangesThis User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.
|
high | 1 | 2026-07-01 | 2026-07-01 | ||||||
| Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | Googlebot | AS20278 Nexeon Technologies, Inc. | Outside Googlebot's published rangesThis User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.
|
high | 1 | 2026-07-01 | 2026-07-01 |