Inconsistencies

Where a client's self-declaration disagrees with what its connection actually proved at the wire. A User-Agent is a claim anyone can set; the TLS, TCP, and HTTP/2 fingerprints below are measured from the bytes. Disagreement is the classic signal of automation dressed as a browser — though VPNs, proxies, privacy tools, and shared fingerprints produce honest mismatches too, so these are leads, not verdicts. Each check scans every co-observed pairing on record (display capped at 500 per check).

Browser claim vs. tool fingerprint

A User-Agent claiming a mainstream browser, observed with a TLS ClientHello the JA4+ database identifies as a non-browser tool (curl, a C2 agent, a library). The TLS stack is far harder to forge convincingly than the User-Agent header.

fingerprintUser-Agentclaimswire showsconfidenceseenfirst seenlast seen
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like M… User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 508 2026-06-11 2026-07-02
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Label distributionngrok
Confidencehigh — repeated co-occurrence
high 81 2026-06-14 2026-06-14
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 9 2026-06-16 2026-07-02
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… User-Agent claims Firefox
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 6 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 6 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 14; SM-S928B) AppleW… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 14; SM-S928B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Mobile Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 6 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/… User-Agent claims Firefox
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 6 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Firefox
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 6 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac… User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Mobile/15E148 Safari/604.1
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 6 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 6 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.2 Safari/605.1.15
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 6 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 10; LIO-AN00 Build/H… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 10; LIO-AN00 Build/HUAWEILIO-AN00; wv) MicroMessenger Weixin QQ AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.62 XWEB/2692 MMWEBSDK/200901 Mobile Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 5 2026-06-17 2026-06-26
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 5 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 5 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Edge
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 5 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 5 2026-06-25 2026-06-25
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Linux; Android 11; vivo 1906; wv) A… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 11; vivo 1906; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/87.0.4280.141 Mobile Safari/537.36 VivoBrowser/8.9.0.0
Label distributionngrok
Confidencehigh — repeated co-occurrence
high 4 2026-06-27 2026-06-30
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Label distributionngrok
Confidencehigh — repeated co-occurrence
high 3 2026-06-27 2026-06-30
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.62 Safari/537.36
Label distributionSliver Agent
Confidencehigh — repeated co-occurrence
high 3 2026-07-01 2026-07-01
t13d190900_9dc949149365_97f8aa674fd9 visionheight.com/scan Mozilla/5.0 (Macintosh; In… User-Agent claims visionheight.com
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-Agentvisionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 2 2026-06-25 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1478.0 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-13 2026-06-13
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3881.0 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-13 2026-06-13
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/… User-Agent claims Firefox
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/20100101 Slackware/13 Firefox/19.0
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-14 2026-06-14
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-14 2026-06-14
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U1) Ap… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 8.0.0; SM-G950U1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-14 2026-06-14
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; U; Android 6.0; he-il; Redmi… User-Agent claims Miui Browser
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; U; Android 6.0; he-il; Redmi Note 4X Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/10.9.7-g
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-14 2026-06-14
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; Nokia 7.1) AppleW… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; Nokia 7.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-14 2026-06-14
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-14 2026-06-14
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-14 2026-06-14
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.… User-Agent claims Internet Explorer
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; LG-H930) AppleWeb… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; LG-H930) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; Redmi Note 4) App… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; Redmi Note 4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.80 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; ONEPLUS A3010) Ap… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; ONEPLUS A3010) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Vers… User-Agent claims Opera
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentOpera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; SM-A600G) AppleWe… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; SM-A600G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 4.4.2; SM-T230NU Bui… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 4.4.2; SM-T230NU Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.81 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Buil… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 6.0; HTC One M9 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 5.1; C6740N Build/LM… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 5.1; C6740N Build/LMY47O) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-fr) … User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-fr) AppleWebKit/312.5 (KHTML, like Gecko) Safari/312.3
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/2… User-Agent claims Firefox
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWe… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; SM-G950F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.143 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… User-Agent claims Firefox
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 7.0; SM-J327T1) Appl… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 7.0; SM-J327T1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleW… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; moto g(6)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 … User-Agent claims Ubuntu
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 (KHTML, like Gecko) Ubuntu/11.04 Chromium/14.0.825.0 Chrome/14.0.825.0 Safari/535.1
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone… User-Agent claims Internet Explorer
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-16 2026-06-16
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 … User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 (KHTML like Gecko) WebVideo/1.0.1.10 Version/7.0 Safari/537.71
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-18 2026-06-18
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-19 2026-06-19
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) App… User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; … User-Agent claims Gecko
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090825 SeaMonkey/1.1.18
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; SM-A505F) AppleWe… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; SM-A505F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) A… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML like Gecko) Chrome/22.0.1229.79 Safari/537.4
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4 240.111 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-25 2026-06-25
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 4.0.4; BNTV400 Build… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 4.0.4; BNTV400 Build/IMM76L) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.111 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-26 2026-06-26
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNT… User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNTV250 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Safari/533.1
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) A… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.84 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5… User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; de-de) AppleWebKit/534.15 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) … User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; G8141) AppleWebKi… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; G8141) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like M… User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/531.22.7
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F) App… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 8.0.0; SM-G955F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-29 2026-06-29
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone… User-Agent claims Internet Explorer
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/4.0 (compatible; MSIE 7.0; Windows Phone OS 7.0; Trident/3.1; IEMobile/7.0)
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-30 2026-06-30
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:… User-Agent claims Firefox
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-30 2026-06-30
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US… User-Agent claims KHTML, like Gecko, Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US) AppleWebKit/528.16 (KHTML, like Gecko, Safari/528.16) OmniWeb/v622.8.0.112941
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-30 2026-06-30
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… User-Agent claims Opera
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 OPR/62.0.3331.99
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-30 2026-06-30
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-11 2026-06-11
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-07-02 2026-07-02
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-18 2026-06-18
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-07-01 2026-07-01
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/560.… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/560.42 (KHTML, like Gecko) Chrome/93.0.756 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-13 2026-06-13
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/583.… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/583.47 (KHTML, like Gecko) Chrome/73.0.1706 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-15 2026-06-15
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/582.… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/582.53 (KHTML, like Gecko) Chrome/79.0.1288 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-18 2026-06-18
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0_2) Ap… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit/539.49 (KHTML, like Gecko) Chrome/74.0.1047 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-18 2026-06-18
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) … User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-19 2026-06-19
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.88 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-19 2026-06-19
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-19 2026-06-19
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Windows NT 9_1_2; Win64; x64) Apple… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit/580.46 (KHTML, like Gecko) Chrome/51.0.2449 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-21 2026-06-21
t13d191000_9dc949149365_e7c285222651 Mozilla/5.0 (Linux; Android 4.4.2; LG-V410 Build… User-Agent claims Chrome
JA4 identified as ngrok

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 4.4.2; LG-V410 Build/KOT49I.V41010d) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.103 Safari/537.36
Label distributionngrok
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-21 2026-06-21
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Ubuntu Chromium
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/75.0.3770.90 Chrome/75.0.3770.90 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-11 2026-06-11
t13d190900_9dc949149365_97f8aa674fd9 Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Pr… User-Agent claims Opera
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentOpera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-11 2026-06-11
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) Ap… User-Agent claims Safari
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0 Safari/605.1.15
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-11 2026-06-11
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 7.0; Moto G (5) Plus… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 7.0; Moto G (5) Plus Build/NPNS25.137-35-5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.107 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-11 2026-06-11
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; U; Android 1.6; en-us; HTC_T… User-Agent claims Android browser
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; U; Android 1.6; en-us; HTC_TATTOO_A3288 Build/DRC79) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-11 2026-06-11
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) … User-Agent claims Whale
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Whale/1.5.75.9 Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-12 2026-06-12
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; H3223) AppleWebKi… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; H3223) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-13 2026-06-13
t13d190900_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Linux; Android 9; Redmi Note 7) App… User-Agent claims Chrome
JA4 identified as Sliver Agent

The TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.

Full User-AgentMozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Label distributionSliver Agent
Confidencemedium — fewer than 3 sightings; the label is itself an inference
medium 1 2026-06-13 2026-06-13

Browser claim vs. measured captures

A User-Agent claiming a browser the catalog has measured, at a version inside the measured range, whose TLS fingerprint is consistent with none of this site's controlled captures of that browser. Where the check above leans on an external label, this one is grounded in measurement. The comparison is layered: a fingerprint differing from a capture only in handshake-variant extensions (session resumption, 0-RTT, session tickets, padding) counts as consistent and is not shown; a differing cipher list is the stronger lead (medium); matching ciphers with a differing extension or signature-algorithm set is weaker (low) — most often a field-trial, ECH, or build variant not yet captured. It sharpens as catalog coverage broadens.

fingerprintUser-Agentclaimswire showsconfidenceseenfirst seenlast seen
t13d181300_e8a523a41297_43ade6aba3df Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Chrome 148.0.7778.96
TLS cipher list matches no measured Chrome capture

The offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.7778.96 Mobile Safari/537.36 (compatible; GoogleOther)
Claimed version148.0.7778.96
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites differ
JA4 labelunlabeled
medium 111 2026-06-11 2026-06-15
t13d1517h2_8daaf6152771_dcad5a053991 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome 149.0.0.0
TLS extensions or signature algorithms differ from every measured Chrome capture

The cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Claimed version149.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 71 2026-06-16 2026-07-01
t13d1715h2_5b57614c22b0_a54fffd0eb61 Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… User-Agent claims Firefox 140.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 34 2026-06-11 2026-07-01
t13d1615h2_86a278354501_a54fffd0eb61 Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 29 2026-06-29 2026-07-01
q13d0313h3_55b375c5d22e_fc7519ff7bc2 Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… User-Agent claims Firefox 140.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 29 2026-06-16 2026-07-01
q13d0315h3_55b375c5d22e_bb76f32061e3 Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… User-Agent claims Firefox 151.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 27 2026-06-11 2026-06-26
t13d1715h2_5b57614c22b0_a54fffd0eb61 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Firefox 140.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 20 2026-06-20 2026-06-27
t13d1615h2_86a278354501_a54fffd0eb61 Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… User-Agent claims Firefox 151.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 18 2026-06-11 2026-06-26
t13d1715h2_5b57614c22b0_a54fffd0eb61 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims Firefox 140.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 18 2026-07-01 2026-07-01
q13d0315h3_55b375c5d22e_bb76f32061e3 Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 13 2026-06-29 2026-07-01
t13d1714h2_5b57614c22b0_53a6d0ab1c42 Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… User-Agent claims Firefox 140.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 12 2026-06-17 2026-07-01
t13d311200_e8f1e7e78f70_ccd0985badbe Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0… User-Agent claims Firefox 134.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0
Claimed version134.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 11 2026-06-17 2026-06-19
t13d3113h1_e8f1e7e78f70_89992bd7bbd7 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… User-Agent claims Firefox 145.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Claimed version145.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 11 2026-06-11 2026-06-29
q13d0316h3_55b375c5d22e_ef339f267f22 Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… User-Agent claims Firefox 151.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 9 2026-06-11 2026-06-23
t13d1614h2_86a278354501_53a6d0ab1c42 Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… User-Agent claims Firefox 151.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 9 2026-06-11 2026-06-26
t13d1312h1_f57a46bbacb6_ab7e3b40a677 Mozilla/5.0 (Macintosh; Intel Mac OS X 15.7; rv:… User-Agent claims Firefox 149.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 15.7; rv:149.0) Gecko/20100101 Firefox/149.0
Claimed version149.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 8 2026-06-12 2026-06-30
t13d1312h1_f57a46bbacb6_ab7e3b40a677 Mozilla/5.0 (Macintosh; Intel Mac OS X 15_7_5) A… User-Agent claims Safari 26.0
TLS cipher list matches no measured Safari capture

The offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 15_7_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0 Safari/605.1.15
Claimed version26.0
Measured versions26.5, 26.4
Layercipher suites differ
JA4 labelunlabeled
medium 8 2026-06-28 2026-06-30
t13d1610h2_86a278354501_1b18b669d02d Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 7 2026-07-02 2026-07-02
t13d311200_e8f1e7e78f70_d339722ba4af Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/… User-Agent claims Firefox 142.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0
Claimed version142.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 7 2026-06-23 2026-07-02
t13d1312h1_f57a46bbacb6_ab7e3b40a677 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Firefox 149.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Claimed version149.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 7 2026-06-28 2026-06-30
t13d1715h2_5b57614c22b0_a54fffd0eb61 Mozilla/5.0 (Android 16; Mobile; rv:148.0) Gecko… User-Agent claims Firefox 148.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Android 16; Mobile; rv:148.0) Gecko/148.0 Firefox/148.0
Claimed version148.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 6 2026-06-19 2026-06-19
t13d131000_f57a46bbacb6_e7c285222651 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Firefox 133.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Claimed version133.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 6 2026-06-11 2026-06-30
t13d1515h1_8daaf6152771_0a20fe35d3a5 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac… User-Agent claims Safari 26.0
TLS cipher list matches no measured Safari capture

The offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0 Mobile/15E148 Safari/604.1
Claimed version26.0
Measured versions26.5, 26.4
Layercipher suites differ
JA4 labelunlabeled
medium 6 2026-06-22 2026-06-22
t12d180700_4b22cbed5bed_2dae41c691ec Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… User-Agent claims Firefox 143.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) Gecko/20100101 Firefox/143.0
Claimed version143.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 6 2026-06-19 2026-07-01
t13d1614h2_86a278354501_53a6d0ab1c42 Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 5 2026-06-29 2026-07-01
t13d1617h2_86a278354501_3e9721a6796e Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 5 2026-07-01 2026-07-01
t13d1616h2_86a278354501_eeeea6562960 Mozilla/5.0 (Android 16; Mobile; rv:152.0) Gecko… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Android 16; Mobile; rv:152.0) Gecko/152.0 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 5 2026-07-02 2026-07-02
t13d1312h2_a44d0ee8b3cc_e381dae6da6b Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Chrome 149.0.0.0
TLS cipher list matches no measured Chrome capture

The offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Claimed version149.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites differ
JA4 labelunlabeled
medium 5 2026-06-23 2026-06-23
t13d1517h2_8daaf6152771_cb7bf5808d99 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome 150.0.0.0
TLS extensions or signature algorithms differ from every measured Chrome capture

The cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/150.0.0.0 Safari/537.36
Claimed version150.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 5 2026-07-01 2026-07-01
t13d1614h2_86a278354501_3dd24b5ebec4 Mozilla/5.0 (Android 16; Mobile; rv:151.0) Gecko… User-Agent claims Firefox 151.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Android 16; Mobile; rv:151.0) Gecko/151.0 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 5 2026-06-11 2026-06-11
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… User-Agent claims Firefox 147.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Claimed version147.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 5 2026-06-17 2026-06-19
t13d1517h2_8daaf6152771_3cbfd9057e0d Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… User-Agent claims Firefox 152.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 5 2026-07-02 2026-07-02
t13d1616h2_86a278354501_eeeea6562960 Mozilla/5.0 (Android 17; Mobile; rv:151.0) Gecko… User-Agent claims Firefox 151.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Android 17; Mobile; rv:151.0) Gecko/151.0 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 4 2026-07-01 2026-07-01
t13d1514h2_8daaf6152771_827b515c4f52 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome 149.0.0.0
TLS extensions or signature algorithms differ from every measured Chrome capture

The cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Claimed version149.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 4 2026-06-19 2026-06-23
t13d1516h2_8daaf6152771_02713d6af862 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome 149.0.0.0
TLS extensions or signature algorithms differ from every measured Chrome capture

The cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Claimed version149.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites match; extension set or signature algorithms differ
JA4 labelChrome (also Chromium Browser)
low 4 2026-06-19 2026-06-19
t13d260900_6d1bcf7a4624_188c7f576dcd Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome 149.0.0.0
TLS cipher list matches no measured Chrome capture

The offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Claimed version149.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites differ
JA4 labelunlabeled
medium 4 2026-06-23 2026-07-01
t13d1716h2_6e7903f2cb1b_0c27189014cf Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Firefox 152.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 4 2026-07-01 2026-07-01
t13d1714h2_5b57614c22b0_53a6d0ab1c42 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 4 2026-07-01 2026-07-01
t13d1516h2_8daaf6152771_02713d6af862 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome 148.0.0.0
TLS extensions or signature algorithms differ from every measured Chrome capture

The cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Claimed version148.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites match; extension set or signature algorithms differ
JA4 labelChrome (also Chromium Browser)
low 4 2026-06-16 2026-06-28
t13d131000_f57a46bbacb6_e7c285222651 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Firefox 140.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 4 2026-06-30 2026-06-30
t13d571400_b456ddcad344_43e0e1cab074 Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… User-Agent claims Firefox 151.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 4 2026-06-29 2026-06-29
t13d1711h2_5dc684030f41_86ae21f8795b Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151… User-Agent claims Firefox 151.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 4 2026-06-22 2026-06-22
t13d1615h2_86a278354501_ccb9c18a2635 Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 4 2026-07-01 2026-07-01
t13d1312h2_a44d0ee8b3cc_e381dae6da6b Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… User-Agent claims Firefox 140.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 3 2026-06-23 2026-06-23
t13d131100_f57a46bbacb6_ab7e3b40a677 Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… User-Agent claims Safari 26.5
TLS cipher list matches no measured Safari capture

The offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.5 Mobile/15E148 Safari/604.1
Claimed version26.5
Measured versions26.5, 26.4
Layercipher suites differ
JA4 labelunlabeled
medium 3 2026-06-11 2026-06-20
t13d1516h2_8daaf6152771_d8a2da3f94cd Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac… User-Agent claims Safari 26.0
TLS cipher list matches no measured Safari capture

The offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0 Mobile/15E148 Safari/604.1
Claimed version26.0
Measured versions26.5, 26.4
Layercipher suites differ
JA4 labelunlabeled
medium 3 2026-07-02 2026-07-02
t13d1511h2_8daaf6152771_b9003e5c3fb3 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome 149.0.0.0
TLS extensions or signature algorithms differ from every measured Chrome capture

The cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Claimed version149.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 3 2026-07-01 2026-07-01
t13d1615h2_86a278354501_a54fffd0eb61 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 3 2026-06-25 2026-06-25
t13d131000_f57a46bbacb6_e7c285222651 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims Firefox 150.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:150.0) Gecko/20100101 Firefox/150.0
Claimed version150.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 3 2026-06-16 2026-06-17
q13d0311h3_55b375c5d22e_f2a83c8e78ae Mozilla/5.0 (iPhone; CPU iPhone OS 26_5_0 like M… User-Agent claims Chrome 149.0.7827.137
TLS extensions or signature algorithms differ from every measured Chrome capture

The cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 26_5_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/149.0.7827.137 Mobile/15E148 Safari/604.1
Claimed version149.0.7827.137
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 3 2026-06-26 2026-06-26
t13d151100_8daaf6152771_882d495ac381 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Chrome 148.0.0.0
TLS extensions or signature algorithms differ from every measured Chrome capture

The cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Claimed version148.0.0.0
Measured versions149.0.7827.103, 149.0.7827.53, 149.0.7827.115, 149.0.7827.114, 149.0.7827.54, 149.0.7827.102, 149.0.7827.201, 149.0.7827.156, 149.0.7827.155, 150.0.7871.46, 148.0.7778.179, 149.0.7827.200
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 3 2026-06-23 2026-06-23
t13d1515h2_8daaf6152771_a54fffd0eb61 Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… User-Agent claims Firefox 151.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 3 2026-07-01 2026-07-01
t13i1909h2_9dc949149365_97f8aa674fd9 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… User-Agent claims Firefox 132.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Claimed version132.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-11 2026-06-12
t13d131000_f57a46bbacb6_e7c285222651 Mozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/… User-Agent claims Firefox 149.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/20100101 Firefox/149.0
Claimed version149.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-16 2026-06-17
t13d1516h2_8daaf6152771_0c27189014cf Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151… User-Agent claims Firefox 151.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-19 2026-06-19
t13d131000_f57a46bbacb6_e7c285222651 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Firefox 149.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Claimed version149.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-16 2026-06-17
t13d3012h2_1d37bd780c83_882d495ac381 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Firefox 149.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Claimed version149.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-23 2026-06-23
t13d131000_f57a46bbacb6_e7c285222651 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… User-Agent claims Firefox 150.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0
Claimed version150.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-16 2026-06-17
t13d1714h1_5b57614c22b0_43ade6aba3df Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… User-Agent claims Firefox 150.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0
Claimed version150.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 2 2026-07-01 2026-07-01
t13d131000_f57a46bbacb6_e7c285222651 Mozilla/5.0 (X11; Linux x86_64; rv:150.0) Gecko/… User-Agent claims Firefox 150.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:150.0) Gecko/20100101 Firefox/150.0
Claimed version150.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-16 2026-06-17
t13d1312h2_a44d0ee8b3cc_e381dae6da6b Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… User-Agent claims Firefox 151.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-23 2026-06-23
t13d1514h2_8daaf6152771_53a6d0ab1c42 Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… User-Agent claims Firefox 151.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0
Claimed version151.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-07-01 2026-07-01
t12d520500_26e41e4f9c7e_22a92d800fe4 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Edge 149.0.0.0
TLS cipher list matches no measured Edge capture

The offered TLS cipher suites match no controlled capture of Edge. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Claimed version149.0.0.0
Measured versions149.0.4022.80, 149.0.4022.98, 149.0.4022.69, 149.0.4022.52
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-07-01 2026-07-01
q13d0314h3_55b375c5d22e_1ecea7cb6ec1 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… User-Agent claims Firefox 147.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Claimed version147.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 2 2026-06-29 2026-06-29
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims Firefox 147.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:147.0) Gecko/20100101 Firefox/147.0
Claimed version147.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-17 2026-06-17
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims Firefox 149.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:149.0) Gecko/20100101 Firefox/149.0
Claimed version149.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-17 2026-06-17
t13d1715h2_5b57614c22b0_a54fffd0eb61 Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… User-Agent claims Firefox 148.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/148.0 Mobile/15E148 Safari/605.1.15
Claimed version148.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 2 2026-06-19 2026-06-19
t13d1516h2_8daaf6152771_d8a2da3f94cd Mozilla/5.0 (iPhone; CPU iPhone OS 18_7_8 like M… User-Agent claims Safari 26.0
TLS cipher list matches no measured Safari capture

The offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0 Mobile/15E148 Safari/604.1
Claimed version26.0
Measured versions26.5, 26.4
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-07-01 2026-07-01
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims Safari 26.2
TLS cipher list matches no measured Safari capture

The offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Safari/605.1.15
Claimed version26.2
Measured versions26.5, 26.4
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-17 2026-06-17
t13d1516h2_8daaf6152771_d8a2da3f94cd Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… User-Agent claims Safari 26.3
TLS cipher list matches no measured Safari capture

The offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.3 Mobile/15E148 Safari/604.1
Claimed version26.3
Measured versions26.5, 26.4
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-07-01 2026-07-01
t13d0916h2_f91f431d341e_0c27189014cf Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Firefox 152.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-26 2026-06-26
t13d0917h2_f91f431d341e_3cbfd9057e0d Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Firefox 152.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-26 2026-06-26
t12d200700_22c523c4c553_2dae41c691ec Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… User-Agent claims Firefox 143.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) Gecko/20100101 Firefox/143.0
Claimed version143.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-06-19 2026-06-28
t13d1616h2_86a278354501_eeeea6562960 Mozilla/5.0 (Android 13; Mobile; rv:152.0) Gecko… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Android 13; Mobile; rv:152.0) Gecko/152.0 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 2 2026-07-02 2026-07-02
t13d2013h2_a09f3c656075_7f0f34a4126d Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… User-Agent claims Firefox 151
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/151 Mobile/15E148 Version/18.6
Claimed version151
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 2 2026-07-01 2026-07-01
q13d0311h3_55b375c5d22e_f2a83c8e78ae Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… User-Agent claims Firefox 151
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/151 Mobile/15E148 Version/18.6
Claimed version151
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 2 2026-07-01 2026-07-01
t13d160900_1711a4c0508c_c06d14d7e8f6 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Edge 149.0.0.0
TLS cipher list matches no measured Edge capture

The offered TLS cipher suites match no controlled capture of Edge. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Claimed version149.0.0.0
Measured versions149.0.4022.80, 149.0.4022.98, 149.0.4022.69, 149.0.4022.52
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-30 2026-06-30
t13d521100_b262b3658495_8e6e362c5eac Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Edge 149.0.0.0
TLS cipher list matches no measured Edge capture

The offered TLS cipher suites match no controlled capture of Edge. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Claimed version149.0.0.0
Measured versions149.0.4022.80, 149.0.4022.98, 149.0.4022.69, 149.0.4022.52
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-07-01 2026-07-01
t13d251100_b78ed14e2fd0_ab7e3b40a677 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Firefox 140.8
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.8
Claimed version140.8
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-16 2026-06-16
t13d251100_b78ed14e2fd0_ab7e3b40a677 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Firefox 140.9
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.9
Claimed version140.9
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-16 2026-06-16
t13d2014h2_a09f3c656075_14788d8d241b Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims Safari 26.4
TLS extensions or signature algorithms differ from every measured Safari capture

The cipher suites match Safari, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.4 Safari/605.1.15
Claimed version26.4
Measured versions26.5, 26.4
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 1 2026-06-29 2026-06-29
t13d3612h1_018971650b2c_58ed7828516f Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/… User-Agent claims Firefox 138.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Claimed version138.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-27 2026-06-27
t13i130900_f57a46bbacb6_e7c285222651 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Firefox 140.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-11 2026-06-11
t13d1714h2_5b57614c22b0_53a6d0ab1c42 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Firefox 140.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 1 2026-06-23 2026-06-23
t13d1312h2_a44d0ee8b3cc_e381dae6da6b Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Firefox 140.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-23 2026-06-23
t13d251100_b78ed14e2fd0_ab7e3b40a677 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0… User-Agent claims Firefox 136.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0
Claimed version136.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-16 2026-06-16
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146… User-Agent claims Firefox 146.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Claimed version146.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-17 2026-06-17
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143… User-Agent claims Firefox 143.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Claimed version143.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-16 2026-06-16
t12d130600_2d7513195f68_e51b7354d87f Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143… User-Agent claims Firefox 143.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Claimed version143.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-19 2026-06-19
t13d1516h3_8daaf6152771_d8a2da3f94cd Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143… User-Agent claims Firefox 143.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Claimed version143.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-22 2026-06-22
t13d251100_b78ed14e2fd0_ab7e3b40a677 Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/… User-Agent claims Firefox 133.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0
Claimed version133.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-17 2026-06-17
t13d1714h2_5b57614c22b0_53a6d0ab1c42 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… User-Agent claims Firefox 147.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Claimed version147.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 1 2026-06-29 2026-06-29
t13d3112h2_e8f1e7e78f70_b26ce05bbdd6 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… User-Agent claims Firefox 147.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Claimed version147.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-20 2026-06-20
t12i130500_2d7513195f68_e51b7354d87f Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims Firefox 140.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-12 2026-06-12
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… User-Agent claims Firefox 140.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-17 2026-06-17
t13d201100_2b729b4bf6f3_36bf25f296df Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Firefox 133.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Claimed version133.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-28 2026-06-28
t13d131100_f57a46bbacb6_ab7e3b40a677 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Firefox 133.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Claimed version133.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-11 2026-06-11
t13d1816h2_e8a523a41297_0c27189014cf Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… User-Agent claims Firefox 140.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-07-01 2026-07-01
t12d130600_2d7513195f68_e51b7354d87f Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims Firefox 140.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:140.0) Gecko/20100101 Firefox/140.0
Claimed version140.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-12 2026-06-12
t12i130500_2d7513195f68_e51b7354d87f Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0… User-Agent claims Firefox 142.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0
Claimed version142.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-12 2026-06-12
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… User-Agent claims Firefox 148.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Claimed version148.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-17 2026-06-17
t13d1713h1_ab0a1bf427ad_ecd0401ec68b Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… User-Agent claims Firefox 148.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Claimed version148.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-07-01 2026-07-01
t13d1516h2_8daaf6152771_d8a2da3f94cd Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… User-Agent claims Firefox 148.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Claimed version148.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-07-01 2026-07-01
t13d1616h2_86a278354501_60e8a95ece10 Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… User-Agent claims Firefox 152.0
TLS extensions or signature algorithms differ from every measured Firefox capture

The cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/20100101 Firefox/152.0
Claimed version152.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites match; extension set or signature algorithms differ
JA4 labelunlabeled
low 1 2026-07-01 2026-07-01
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/… User-Agent claims Firefox 148.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0
Claimed version148.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-17 2026-06-17
t12d130600_2d7513195f68_e51b7354d87f Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0… User-Agent claims Firefox 142.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0
Claimed version142.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-12 2026-06-12
t13d311000_e8f1e7e78f70_518fb456ca59 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims Safari 26.3.1
TLS cipher list matches no measured Safari capture

The offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.3.1 Safari/605.1.15
Claimed version26.3.1
Measured versions26.5, 26.4
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-17 2026-06-17
t13d1812h1_85036bcba153_b26ce05bbdd6 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137… User-Agent claims Firefox 137.0
TLS cipher list matches no measured Firefox capture

The offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
Claimed version137.0
Measured versions150.0.2, 135.0, 146.0.1, 152.0.1, 140.0.2, 132.0, 152.0.3, 151.0.4, 151.0.2, 148.0.2, 139.0, 137.0, 141.0, 151.0.3, 144.0.2, 142.0.1, 134.0, 151.0
Layercipher suites differ
JA4 labelunlabeled
medium 1 2026-06-18 2026-06-18

OS claim vs. TCP stack

A User-Agent's claimed operating system against the initial TTL of its TCP SYN. An initial TTL of 64 is Unix-like (Linux, macOS, iOS, Android, BSD); 128 is Windows. A "Windows" User-Agent arriving on a TTL-64 stack — or vice versa — is inconsistent, subject to the proxy/NAT caveats above.

fingerprintUser-Agentclaimswire showsconfidenceseenfirst seenlast seen
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.7778.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Observed TTL116+12 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 163 2026-06-11 2026-06-22
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) … User-Agent claims macOS
TCP SYN initial TTL 118+10 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Gort)
Observed TTL118+10 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 60 2026-06-13 2026-07-02
4:43+21:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 57 2026-07-01 2026-07-02
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 57 2026-07-01 2026-07-02
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.7778.96 Mobile Safari/537.36 (compatible; GoogleOther)
Observed TTL116+12 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 55 2026-06-11 2026-06-15
4:118+10:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 118+10 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.7778.96 Mobile Safari/537.36 (compatible; GoogleOther)
Observed TTL118+10 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 42 2026-06-12 2026-06-13
4:46+18:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 36 2026-06-14 2026-06-14
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 11; moto g power (20… User-Agent claims Android
TCP SYN initial TTL 121+7 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 11; moto g power (2022)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Mobile Safari/537.36 Chrome-Lighthouse
Observed TTL121+7 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 30 2026-06-25 2026-07-01
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 121+7 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Chrome-Lighthouse
Observed TTL121+7 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 28 2026-06-25 2026-06-29
4:53+11:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 26 2026-06-11 2026-06-17
4:115+13:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 115+13 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Chrome-Lighthouse
Observed TTL115+13 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 26 2026-06-11 2026-06-22
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 23 2026-06-30 2026-06-30
6:47+17:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 20 2026-06-27 2026-06-28
4:46+18:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 20 2026-06-11 2026-06-23
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 20 2026-06-30 2026-06-30
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 19 2026-06-30 2026-06-30
4:42+22:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 19 2026-06-14 2026-06-14
6:48+16:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 19 2026-06-27 2026-06-28
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 18 2026-06-30 2026-06-30
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Vivaldi/6.7.3329.35
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 17 2026-06-30 2026-06-30
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 16 2026-06-30 2026-06-30
4:115+13:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 11; moto g power (20… User-Agent claims Android
TCP SYN initial TTL 115+13 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 11; moto g power (2022)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Mobile Safari/537.36 Chrome-Lighthouse
Observed TTL115+13 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 15 2026-06-11 2026-06-22
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.7778.96 Mobile Safari/537.36 (compatible; GoogleOther)
Observed TTL117+11 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 14 2026-06-11 2026-06-13
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 OPR/110.0.0.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 13 2026-06-30 2026-06-30
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 13 2026-06-30 2026-06-30
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 13 2026-06-30 2026-06-30
4:53+11:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 12 2026-06-11 2026-06-23
4:50+14:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 11 2026-07-01 2026-07-02
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 110+18 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL110+18 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 11 2026-06-19 2026-06-19
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 10 2026-06-11 2026-06-15
6:46+18:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 10 2026-06-27 2026-06-28
4:112+16:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 11; moto g power (20… User-Agent claims Android
TCP SYN initial TTL 112+16 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 11; moto g power (2022)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Mobile Safari/537.36 Chrome-Lighthouse
Observed TTL112+16 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 10 2026-06-11 2026-06-22
4:51+13:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 10 2026-06-15 2026-06-15
4:48+16:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 10 2026-07-02 2026-07-02
4:43+21:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 10 2026-06-23 2026-06-23
4:47+17:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 9 2026-06-19 2026-06-19
6:51+13:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 9 2026-06-27 2026-06-28
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Observed TTL116+12 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 9 2026-06-11 2026-06-22
4:118+10:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 118+10 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.7778.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Observed TTL118+10 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 9 2026-06-12 2026-06-18
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 11; moto g power (20… User-Agent claims Android
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 11; moto g power (2022)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Mobile Safari/537.36 Chrome-Lighthouse
Observed TTL116+12 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 9 2026-06-17 2026-06-21
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 11; moto g power (20… User-Agent claims Android
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 11; moto g power (2022)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Mobile Safari/537.36 Chrome-Lighthouse
Observed TTL117+11 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 9 2026-06-17 2026-06-17
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 121+7 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.7778.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Observed TTL121+7 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 9 2026-06-26 2026-06-27
4:112+16:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 112+16 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Chrome-Lighthouse
Observed TTL112+16 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 9 2026-06-11 2026-06-22
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 8 2026-06-20 2026-06-20
4:46+18:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 8 2026-06-15 2026-06-15
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Chrome-Lighthouse
Observed TTL117+11 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 8 2026-06-11 2026-06-17
4:40+24:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 40+24 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL40+24 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 8 2026-06-14 2026-06-14
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 121+7 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.7827.200 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Observed TTL121+7 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 8 2026-07-01 2026-07-02
4:56+8:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 8 2026-06-25 2026-06-29
4:50+14:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 7 2026-06-11 2026-06-22
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 7 2026-06-25 2026-06-30
4:41+23:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 41+23 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL41+23 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 7 2026-06-14 2026-06-14
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 7 2026-06-25 2026-06-30
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 7 2026-06-22 2026-06-22
4:52+12:0:1420:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.60 Safari/537.36 Edge/12.246
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 7 2026-06-23 2026-06-23
4:118+10:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 118+10 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Chrome-Lighthouse
Observed TTL118+10 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-06-21 2026-06-21
4:51+13:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-07-01 2026-07-02
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/5… User-Agent claims Android
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Mobile Safari/537.36 (compatible; Google-Read-Aloud; +https://support.google.com/webmasters/answer/1061943)
Observed TTL117+11 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-06-16 2026-06-16
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-06-27 2026-07-02
4:117+11:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … User-Agent claims macOS
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Observed TTL117+11 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-07-01 2026-07-01
4:51+13:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-06-30 2026-06-30
6:44+20:0:1360:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-06-27 2026-06-27
4:51+13:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-06-19 2026-06-23
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Android 16; Mobile; rv:148.0) Gecko… User-Agent claims Android
TCP SYN initial TTL 110+18 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Android 16; Mobile; rv:148.0) Gecko/148.0 Firefox/148.0
Observed TTL110+18 (observed + path distance → initial)
Claimed OSAndroid
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 6 2026-06-19 2026-06-19
4:53+11:0:1460:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWe… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.55
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-06-29 2026-06-29
6:55+9:0:1392:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/150.0.0.0 Safari/537.36 Edg/150.0.0.0
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-07-01 2026-07-01
4:41+23:0:1460:65535,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Windows
TCP SYN initial TTL 41+23 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Observed TTL41+23 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-07-02 2026-07-02
6:45+19:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-06-27 2026-06-28
4:57+7:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 57+7 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Observed TTL57+7 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-07-01 2026-07-02
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-06-25 2026-06-25
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-06-25 2026-06-25
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-06-25 2026-06-25
4:48+16:0:9174:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-07-01 2026-07-01
4:46+18:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 5 2026-06-16 2026-06-23
4:40+24:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 40+24 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Observed TTL40+24 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-11 2026-06-19
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-07-01 2026-07-01
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-13 2026-06-13
4:48+16:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-13 2026-06-17
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-11 2026-06-29
6:53+11:0:1376:8192,2:mss,nop,ws,nop,nop,sok::0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-07-02 2026-07-02
4:52+12:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-19 2026-06-19
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-17 2026-06-27
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)
Observed TTL116+12 (observed + path distance → initial)
Claimed OSLinux
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-23 2026-06-23
4:119+9:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 119+9 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/138.0.7204.23 Safari/537.36
Observed TTL119+9 (observed + path distance → initial)
Claimed OSLinux
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-11 2026-06-28
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64)
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-13 2026-06-18
4:51+13:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-07-02 2026-07-02
4:51+13:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-25 2026-07-02
4:49+15:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-22 2026-06-22
4:53+11:0:1200:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 YaBrowser/26.4.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-20 2026-06-26
6:43+21:0:1440:mss*30,9:mss,nop,nop,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 4 2026-06-27 2026-06-27
4:52+12:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-11 2026-06-25
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-25 2026-06-25
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64)
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-12 2026-06-21
4:50+14:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-18 2026-06-18
4:52+12:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-28 2026-07-01
6:46+18:0:1432:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-14 2026-06-21
4:54+10:0:1452:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
4:45+19:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.2623.112 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-16 2026-06-22
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-12 2026-06-13
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-11 2026-06-11
4:54+10:0:1460:65535,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-19 2026-06-19
6:47+17:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-28 2026-07-01
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-11 2026-06-29
4:49+15:0:1460:65535,6:mss,nop,ws,nop,nop,ts,sok,eol+1:df,ecn:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
4:39+25:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 39+25 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL39+25 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-14 2026-06-14
4:51+13:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-12 2026-06-27
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 11.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.166 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-23 2026-06-23
4:54+10:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
4:47+17:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.4333.269 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-23 2026-06-23
4:47+17:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
4:43+21:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-23 2026-06-23
4:52+12:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-23 2026-06-23
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Chrome-Lighthouse
Observed TTL116+12 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-11 2026-06-11
4:46+18:0:1460:35844,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-22 2026-06-22
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-18 2026-06-18
4:50+14:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-23 2026-06-23
4:46+18:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-19 2026-06-19
4:49+15:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-30 2026-06-30
4:117+11:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/142.0.0.0 Safari/537.36
Observed TTL117+11 (observed + path distance → initial)
Claimed OSLinux
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-17 2026-06-17
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125 Safari/537.36 HackerMiniStoryImage/1.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-02 2026-07-02
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Observed TTL116+12 (observed + path distance → initial)
Claimed OSmacOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-16 2026-06-21
4:45+19:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-16 2026-06-22
4:44+20:0:1360:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-29 2026-06-29
4:54+10:0:1410:mss*30,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-29 2026-06-29
4:51+13:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-20 2026-06-20
4:55+9:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-29 2026-06-29
4:51+13:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-30 2026-06-30
4:51+13:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-29 2026-06-29
4:46+18:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-14 2026-06-14
4:56+8:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-29 2026-06-29
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-17 2026-07-01
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-26 2026-06-30
4:119+9:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (iPhone; CPU iPhone OS 18_7_8 like M… User-Agent claims iOS
TCP SYN initial TTL 119+9 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_7_8 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0 Mobile/15E148 Safari/604.1
Observed TTL119+9 (observed + path distance → initial)
Claimed OSiOS
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
6:48+16:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-27 2026-06-27
4:39+25:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 39+25 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL39+25 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-19 2026-06-22
4:47+17:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-14 2026-06-14
6:51+13:0:1440:mss*30,9:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-26 2026-06-26
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125 Safari/537.36 HackerMiniStoryImage/1.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-02 2026-07-02
4:49+15:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-26 2026-06-26
4:47+17:0:1420:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-19 2026-06-19
6:56+8:0:1440:mss*30,9:mss,nop,nop,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-26 2026-06-26
4:56+8:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-26 2026-06-26
4:54+10:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-02 2026-07-02
4:52+12:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.4754.172 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-26 2026-06-26
4:44+20:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
4:47+17:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.4016.139 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-26 2026-06-26
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2836.1959 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-07-01 2026-07-01
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-21 2026-06-22
4:45+19:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.4799.196 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencemedium — repeated co-occurrence, but initial TTL is environmental — capped at medium
medium 3 2026-06-25 2026-06-25
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-16
4:112+16:0:1344:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 112+16 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Observed TTL112+16 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 2 2026-06-17 2026-06-17
4:55+9:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-20 2026-06-20
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-17
4:113+15:0:1424:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims macOS
TCP SYN initial TTL 113+15 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Observed TTL113+15 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-27
4:51+13:0:1460:mss*29,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-22
4:115+13:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 115+13 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL115+13 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-06-17 2026-06-17
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-17
4:112+16:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM … User-Agent claims Android
TCP SYN initial TTL 112+16 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30
Observed TTL112+16 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 2 2026-06-11 2026-06-11
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-12 2026-06-13
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-17
4:42+22:0:1380:65535,14:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-19
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… User-Agent claims iOS
TCP SYN initial TTL 110+18 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/148.0 Mobile/15E148 Safari/605.1.15
Observed TTL110+18 (observed + path distance → initial)
Claimed OSiOS
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-19
4:56+8:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-19
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-18 2026-06-27
4:114+14:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 11; moto g power (20… User-Agent claims Android
TCP SYN initial TTL 114+14 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 11; moto g power (2022)) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Mobile Safari/537.36 Chrome-Lighthouse
Observed TTL114+14 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 2 2026-06-22 2026-06-22
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.71 Safari/537.36 SE 2.X MetaSr 1.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-13 2026-06-13
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-19
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-30
4:44+20:0:1380:65535,14:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-19
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-16
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-29 2026-06-29
4:47+17:0:1460:65535,14:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-19
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-11 2026-06-12
4:50+14:0:1340:mtu*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-14 2026-06-19
4:52+12:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-23 2026-06-30
4:51+13:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-19
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Bu… User-Agent claims Android
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)
Observed TTL116+12 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 2 2026-06-23 2026-06-23
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 110+18 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
Observed TTL110+18 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 2 2026-06-21 2026-06-25
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-20 2026-06-20
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/… User-Agent claims Android
TCP SYN initial TTL 113+15 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
Observed TTL113+15 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 2 2026-06-12 2026-06-14
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-20 2026-06-20
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-23
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-13 2026-06-18
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-12 2026-06-12
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-17
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-17 2026-06-17
4:53+11:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-11 2026-06-11
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15 AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)
Observed TTL116+12 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-06-23 2026-06-23
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-17
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 Edg/147.0.0.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-17
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-17
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.57
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-16 2026-06-16
4:109+19:0:1400:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 109+19 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Observed TTL109+19 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-06-19 2026-06-19
6:42+22:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.100 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-26 2026-06-26
4:50+14:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.4779.120 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-25 2026-06-25
4:56+8:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/114.0.5735.110 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-25 2026-06-25
4:54+10:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-26 2026-06-26
6:46+18:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-27 2026-06-27
6:47+17:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-27 2026-06-27
4:53+11:0:8960:mss*7,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-27 2026-06-27
6:48+16:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-28 2026-06-28
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-28 2026-06-28
6:50+14:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 Edg/146.0.3856.109
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-28 2026-06-28
4:54+10:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-29 2026-06-29
4:44+20:0:1440:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-29 2026-06-29
4:57+7:0:1360:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 57+7 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL57+7 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-29 2026-06-29
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko… User-Agent claims Android
TCP SYN initial TTL 121+7 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko/112.0 Firefox/112.0 AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)
Observed TTL121+7 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 2 2026-06-29 2026-06-29
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Bu… User-Agent claims Android
TCP SYN initial TTL 121+7 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)
Observed TTL121+7 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 2 2026-06-29 2026-06-29
4:46+18:0:1380:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-29 2026-06-29
4:52+12:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:54+10:0:1131:65535,9:mss,nop,ws,sok,ts:df:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-29 2026-06-29
6:51+13:0:1440:65535,7:mss,nop,nop,sok,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-30 2026-06-30
4:45+19:0:1460:mss*29,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-30 2026-06-30
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:47+17:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:51+13:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 118+10 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Observed TTL118+10 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:41+23:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 41+23 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL41+23 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/2010… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:115+13:0:1460:mss*44,9:mss,nop,nop,sok,nop,ws:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 115+13 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL115+13 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:53+11:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; trendi… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; trendictionbot0.5.0; trendiction search; http://www.trendiction.de/bot; please let us know of any problems; web at trendiction.com) Gecko/20100101 Firefox/125.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-02
4:47+17:0:1380:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:114+14:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … User-Agent claims macOS
TCP SYN initial TTL 114+14 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Observed TTL114+14 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:45+19:0:1452:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:109+19:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … User-Agent claims macOS
TCP SYN initial TTL 109+19 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Observed TTL109+19 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:53+11:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-02
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) … User-Agent claims macOS
TCP SYN initial TTL 118+10 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Lanai)
Observed TTL118+10 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:49+15:0:1380:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-01
4:55+9:0:1410:mss*46,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-02 2026-07-02
4:48+16:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-02 2026-07-02
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 121+7 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Observed TTL121+7 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-02
4:49+15:0:1460:mss*29,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-06-26 2026-07-02
4:53+11:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 2 2026-07-01 2026-07-02
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:49+15:0:8960:mss*7,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:111+17:0:1360:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) … User-Agent claims macOS
TCP SYN initial TTL 111+17 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL111+17 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-18 2026-06-18
4:56+8:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:114+14:0:1412:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like M… User-Agent claims iOS
TCP SYN initial TTL 114+14 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Mobile/15E148 Safari/604.1
Observed TTL114+14 (observed + path distance → initial)
Claimed OSiOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-22 2026-06-22
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:53+11:0:1354:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:40+24:0:1412:mss*1,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 40+24 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL40+24 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:54+10:0:1460:65535,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:61+3:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 61+3 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 YaBrowser/26.3.0.0 Safari/537.36
Observed TTL61+3 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:50+14:0:1460:65535,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
6:49+15:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:53+11:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36 Edg/145.0.0.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:53+11:0:1420:65535,0:mss,sok,ts:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-18 2026-06-18
4:46+18:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:44+20:0:1460:mss*1,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2486.0 Safari/537.36 Edge/13.10586
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:117+11:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Observed TTL117+11 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-22 2026-06-22
4:45+19:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.36 Safari/535.7
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:114+14:0:1360:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 114+14 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
Observed TTL114+14 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:53+11:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3881.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-13 2026-06-13
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:52+12:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… User-Agent claims Android
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Observed TTL117+11 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.71.6212.24) Gecko/25.2.4212.671 Firefox/2.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:52+12:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:41+23:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 41+23 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0
Observed TTL41+23 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:49+15:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:120+8:0:1436:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/… User-Agent claims Android
TCP SYN initial TTL 120+8 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
Observed TTL120+8 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 1 2026-06-22 2026-06-22
6:43+21:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.54
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-30 2026-06-30
4:41+23:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 41+23 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Observed TTL41+23 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
6:51+13:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:55+9:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.4872.1411 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:115+13:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/5… User-Agent claims Android
TCP SYN initial TTL 115+13 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Mobile Safari/537.36 (compatible; Google-Read-Aloud; +https://support.google.com/webmasters/answer/1061943)
Observed TTL115+13 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:45+19:0:1380:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:43+21:0:1460:mss*1,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:110+18:0:1360:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 110+18 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Version/17.0 Safari/605.1.15
Observed TTL110+18 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:112+16:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 112+16 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Observed TTL112+16 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-15 2026-06-15
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:53+11:0:1460:mss*22,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.25 Safari/537.36 Core/1.70.3883.400 QQBrowser/10.8.4559.400
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:47+17:0:1460:mss*44,7:mss,nop,nop,sok,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 12_5) App… User-Agent claims macOS
TCP SYN initial TTL 113+15 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 YaBrowser/22.7.0 Yowser/2.5 Safari/537.36
Observed TTL113+15 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:49+15:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL116+12 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-15 2026-06-15
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; rv:108.0) Gecko/20… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; rv:108.0) Gecko/20100101 Firefox/108.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:42+22:0:1460:mss*22,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-13 2026-06-13
4:53+11:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:41+23:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 41+23 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE
Observed TTL41+23 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-13 2026-06-13
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:56+8:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:50+14:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL116+12 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:41+23:0:1412:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 9_1_2; Win64; x64) Apple… User-Agent claims Windows
TCP SYN initial TTL 41+23 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 9_1_2; Win64; x64) AppleWebKit/580.46 (KHTML, like Gecko) Chrome/51.0.2449 Safari/537.36
Observed TTL41+23 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-21 2026-06-21
4:45+19:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-21 2026-06-21
4:38+26:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 38+26 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 (Silvy X Ran)
Observed TTL38+26 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:50+14:0:1452:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:51+13:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-21 2026-06-21
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/537.32.36 (KHTML, live Gecko) Chrome/59.0.3063.52 Safari/537.32
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-21 2026-06-21
4:50+14:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-22 2026-06-22
4:112+16:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 112+16 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Observed TTL112+16 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Linux; Android 4.4.2; LG-V410 Build… User-Agent claims Android
TCP SYN initial TTL 110+18 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 4.4.2; LG-V410 Build/KOT49I.V41010d) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.103 Safari/537.36
Observed TTL110+18 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 1 2026-06-21 2026-06-21
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 113+15 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Observed TTL113+15 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
4:51+13:0:1440:mss*45,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Geck… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:55+9:0:1460:26883,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:53+11:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:50+14:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) Gecko/20100101 Firefox/143.0
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-22 2026-06-22
4:49+15:0:1460:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR) … User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR) AppleWebKit/525.28 (KHTML, like Gecko) Version/3.2.2 Safari/525.28.1
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:40+24:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 40+24 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 (Silvy X Ran)
Observed TTL40+24 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/537.32.36 (KHTML, live Gecko) Chrome/50.0.3051.111 Safari/537.32
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-13 2026-06-13
4:112+16:0:1412:65535,8:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 112+16 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL112+16 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:48+16:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:104+24:0:1400:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 104+24 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Observed TTL104+24 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/2012… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/20121202 Firefox/20.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:115+13:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 115+13 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Observed TTL115+13 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-21 2026-06-21
6:42+22:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 OPR/117.0.0.
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-02 2026-07-02
4:51+13:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:57+7:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… User-Agent claims Windows
TCP SYN initial TTL 57+7 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0
Observed TTL57+7 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:48+16:0:1460:65535,8:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-22 2026-06-22
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-18 2026-06-18
4:53+11:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-15 2026-06-15
4:45+19:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:51+13:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/129.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
4:48+16:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:46+18:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0.0; Win64; x64; ) Ap… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0.0; Win64; x64; ) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.156 Not(A:Brand/24 YaBrowser/24.4.1.899 Yowser/2.5 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:56+8:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:53+11:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.54
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-18 2026-06-18
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/537.32.36 (KHTML, live Gecko) Chrome/54.0.3023.92 Safari/537.32
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.8
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-30 2026-06-30
4:40+24:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 40+24 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.5999.0 Safari/537.36
Observed TTL40+24 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-18 2026-06-18
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.78
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-21 2026-06-21
4:54+10:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; rv:140.0) Gecko/20… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:52+12:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-15 2026-06-15
4:113+15:0:1460:65535,1:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 113+15 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 OPR/89.0.4447.51
Observed TTL113+15 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 113+15 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 OPR/89.0.4447.51
Observed TTL113+15 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:114+14:0:1358:64446,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims macOS
TCP SYN initial TTL 114+14 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Observed TTL114+14 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 113+15 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Safari/605.1.15
Observed TTL113+15 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.54
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:56+8:0:1460:mss*30,12:mss,sok,ts,nop,ws:df,id+,ts2+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:56+8:0:1460:mss*30,12:mss,sok,ts,nop,ws:df,id+,ts2+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:111+17:0:1440:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) … User-Agent claims macOS
TCP SYN initial TTL 111+17 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Observed TTL111+17 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
6:43+21:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.100 Safari/537.36
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:51+13:0:1360:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:56+8:0:1460:mss*30,12:mss,sok,ts,nop,ws:df,id+,ts2+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150.0) Gecko/20100101 Firefox/150.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:119+9:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Linux; Android 11; DN2101) AppleWeb… User-Agent claims Android
TCP SYN initial TTL 119+9 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 11; DN2101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Mobile Safari/537.36
Observed TTL119+9 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:56+8:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:44+20:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:57+7:0:1460:mss*44,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 57+7 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Observed TTL57+7 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:45+19:0:1440:65535,8:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:117+11:0:1412:65535,8:mss,nop,ws,sok,ts:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7; … User-Agent claims macOS
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7; arm64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/14.0.0.0 Safari/537.36
Observed TTL117+11 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:55+9:0:1440:mss*30,9:mss,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; rv:110.0) Gecko/20… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; rv:110.0) Gecko/20100101 Firefox/110.0
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:44+20:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.100 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
6:45+19:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.100 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
6:46+18:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.100 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:38+26:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 38+26 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Edg/120.0.2210.144
Observed TTL38+26 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-18 2026-06-18
4:44+20:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.4779.120 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
6:52+12:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 56+8 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL56+8 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:40+24:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 40+24 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL40+24 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:58+6:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; … User-Agent claims Windows
TCP SYN initial TTL 58+6 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090825 SeaMonkey/1.1.18
Observed TTL58+6 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.7258.5 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.35/36 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-25 2026-06-25
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Viewer/99.9.8853.8
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-17 2026-06-17
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:110+18:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like M… User-Agent claims iOS
TCP SYN initial TTL 110+18 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1
Observed TTL110+18 (observed + path distance → initial)
Claimed OSiOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-22 2026-06-22
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 Edg/147.0.0.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
6:46+18:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 OPR/113.0.0.0
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:57+7:0:1460:65535,8:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 57+7 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL57+7 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:46+18:0:1460:65535,7:mss,nop,nop,sok,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/537.32.36 (KHTML, live Gecko) Chrome/55.0.3018.81 Safari/537.32
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) … User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gec… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-18 2026-06-18
6:49+15:0:1380:65535,7:mss,nop,nop,sok,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) … User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:109+19:0:1436:mss*45,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac… User-Agent claims iOS
TCP SYN initial TTL 109+19 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Mobile/15E148 Safari/604.1
Observed TTL109+19 (observed + path distance → initial)
Claimed OSiOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-30 2026-06-30
4:46+18:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:115+13:0:1424:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… User-Agent claims macOS
TCP SYN initial TTL 115+13 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Observed TTL115+13 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:52+12:0:1420:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko; compatible; BuiltWith/1.4; rb.gy/xprgqj) Chrome/124.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-12 2026-06-12
4:50+14:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-16 2026-06-16
4:120+8:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Linux; Android 13; SM-A037U) AppleW… User-Agent claims Android
TCP SYN initial TTL 120+8 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 13; SM-A037U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Mobile Safari/537.36
Observed TTL120+8 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:117+11:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (X11; Debian; Linux x86_64; rv:145.0… User-Agent claims Linux
TCP SYN initial TTL 117+11 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Debian; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Observed TTL117+11 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-22 2026-06-22
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:49+15:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:48+16:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/201… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:43+21:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.2623.112 Safari/537.36
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:55+9:0:1350:mss*48,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:120+8:0:1460:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 120+8 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
Observed TTL120+8 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:53+11:0:1452:mss*44,1:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.43
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:51+13:0:1200:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:55+9:0:1460:26883,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4093.0 Safari/537.36 Edg/83.0.470.0
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:54+10:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) Gecko/20100101 Firefox/143.0
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:47+17:0:1440:mss*45,7:mss,nop,nop,sok,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:50+14:0:1460:mss*44,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:49+15:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:49+15:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:49+15:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:49+15:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-26 2026-06-26
4:45+19:0:1460:mss*29,9:mss,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) … User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-30 2026-06-30
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/… User-Agent claims Linux
TCP SYN initial TTL 110+18 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Observed TTL110+18 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-15 2026-06-15
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Linux; Android 16; SM-S921U) AppleW… User-Agent claims Android
TCP SYN initial TTL 118+10 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 16; SM-S921U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.7632.6 Mobile Safari/537.36
Observed TTL118+10 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 1 2026-06-21 2026-06-21
4:43+21:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:54+10:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.7827.201 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-02 2026-07-02
6:47+17:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
6:48+16:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:101+27:0:1420:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7; … User-Agent claims macOS
TCP SYN initial TTL 101+27 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7; arm64) AppleWebKit/537.36 (KHTML, like Gecko) Safari/13.0.0.0 Safari/537.36
Observed TTL101+27 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:41+23:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 41+23 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL41+23 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
6:49+15:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:43+21:0:1399:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:115+13:0:1460:mss*44,6:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 115+13 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Observed TTL115+13 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-20 2026-06-20
6:113+15:0:1440:65535,8:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… User-Agent claims Linux
TCP SYN initial TTL 113+15 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL113+15 (observed + path distance → initial)
Claimed OSLinux
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:54+10:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:44+20:0:1440:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 44+20 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL44+20 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:49+15:0:1340:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:54+10:0:1330:mss*49,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-27 2026-06-27
4:53+11:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-11 2026-06-11
4:53+11:0:1400:65535,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-30 2026-06-30
6:49+15:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:49+15:0:1340:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 Edg/146.0.3856.109
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:48+16:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:47+17:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
6:47+17:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:50+14:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:50+14:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:48+16:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 Edg/146.0.3856.109
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 Edg/146.0.3856.109
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:47+17:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:49+15:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:48+16:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
6:54+10:0:1390:mss*47,8:mss,nop,ws,nop,nop,sok:flow:0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:51+13:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 51+13 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL51+13 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:55+9:0:1460:26883,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-28 2026-06-28
4:43+21:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … User-Agent claims Windows
TCP SYN initial TTL 43+21 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Observed TTL43+21 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-14 2026-06-14
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:58+6:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 58+6 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Observed TTL58+6 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:116+12:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Linux; Android 10; x86) AppleWebKit… User-Agent claims Android
TCP SYN initial TTL 116+12 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Linux; Android 10; x86) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
Observed TTL116+12 (observed + path distance → initial)
Claimed OSAndroid
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… User-Agent claims Windows
TCP SYN initial TTL 49+15 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Observed TTL49+15 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-19 2026-06-19
4:52+12:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 52+12 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Edg/149.0.0.0
Observed TTL52+12 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:55+9:0:1460:26883,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0;… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:54+10:0:1452:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 54+10 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Observed TTL54+10 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:50+14:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:111+17:0:1400:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 111+17 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Safari/605.1.15
Observed TTL111+17 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… User-Agent claims Windows
TCP SYN initial TTL 55+9 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/537.32.36 (KHTML, live Gecko) Chrome/50.0.3102.52 Safari/537.32
Observed TTL55+9 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:50+14:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 50+14 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Observed TTL50+14 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:114+14:0:1380:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 114+14 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 Version/17.0 Safari/605.1.15
Observed TTL114+14 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:111+17:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … User-Agent claims macOS
TCP SYN initial TTL 111+17 indicates Windows

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Observed TTL111+17 (observed + path distance → initial)
Claimed OSmacOS
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
6:48+16:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/2010… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:47+17:0:1460:mss*44,11:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128… User-Agent claims Windows
TCP SYN initial TTL 47+17 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Observed TTL47+17 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.… User-Agent claims Windows
TCP SYN initial TTL 48+16 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;
Observed TTL48+16 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29
4:53+11:0:1460:65535,13:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… User-Agent claims Windows
TCP SYN initial TTL 53+11 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Observed TTL53+11 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-23 2026-06-23
4:46+18:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:45+19:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:45+19:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126… User-Agent claims Windows
TCP SYN initial TTL 45+19 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Observed TTL45+19 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:46+18:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 46+18 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Observed TTL46+18 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-07-01 2026-07-01
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… User-Agent claims Windows
TCP SYN initial TTL 42+22 indicates Unix-like

The initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.

Full User-AgentMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36
Observed TTL42+22 (observed + path distance → initial)
Claimed OSWindows
Confidencelow — single sighting of an environmental signal
low 1 2026-06-29 2026-06-29

Bot claim vs. published operator ranges

A User-Agent declaring a major bot — a search or AI crawler or a user-triggered fetcher — observed from an IP outside the ranges that operator publishes for it, or inside a different operator's ranges. Unlike the checks above, this is not a wire-vs-claim contradiction: it is the self-declared identity against the operator's own authoritative published list. An IP the operator does not list, arriving under its bot's name, is almost always an impersonator — scrapers spoof crawlers to dodge rate limits and earn crawler treatment. The consistent side (an IP inside the published range) appears as a "published range match" on the fingerprint page, not here.

User-Agentclaimsfrom networkpublished ranges showconfidenceseenfirst seenlast seen
Mozilla/5.0 (compatible; Googlebot/2.1; +http://… Googlebot AS396982 Google LLC
Outside Googlebot's published ranges

This User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.

Claimed crawlerGooglebot
NetworkAS396982 Google LLC
Confidencemedium — softened: the source is the operator's own network, where a too-new range or a non-bot host is a likelier cause than a spoof
medium 3 2026-06-27 2026-06-29
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Geck… Googlebot AS39603 P4 Sp. z o.o.
Outside Googlebot's published ranges

This User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.

Claimed crawlerGooglebot
NetworkAS39603 P4 Sp. z o.o.
Confidencehigh — the operator publishes the IPs it uses and this one is not among them
high 1 2026-06-30 2026-06-30
Mozilla/5.0 (compatible; Googlebot/2.1; +http://… Googlebot AS212238 Datacamp Limited
Outside Googlebot's published ranges

This User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.

Claimed crawlerGooglebot
NetworkAS212238 Datacamp Limited
Confidencehigh — the operator publishes the IPs it uses and this one is not among them
high 1 2026-06-25 2026-06-25
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… Googlebot AS24940 Hetzner Online GmbH
Outside Googlebot's published ranges

This User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.

Claimed crawlerGooglebot
NetworkAS24940 Hetzner Online GmbH
Confidencehigh — the operator publishes the IPs it uses and this one is not among them
high 1 2026-07-01 2026-07-01
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… Googlebot AS20278 Nexeon Technologies, Inc.
Outside Googlebot's published ranges

This User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.

Claimed crawlerGooglebot
NetworkAS20278 Nexeon Technologies, Inc.
Confidencehigh — the operator publishes the IPs it uses and this one is not among them
high 1 2026-07-01 2026-07-01
Mozilla/5.0 (compatible; Googlebot/2.1; +http://… Googlebot AS8075 Microsoft Corporation
Outside Googlebot's published ranges

This User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.

Claimed crawlerGooglebot
NetworkAS8075 Microsoft Corporation
Confidencehigh — the operator publishes the IPs it uses and this one is not among them
high 1 2026-06-26 2026-06-26

How confidence is assigned