Inconsistencies
Where a client's self-declaration disagrees with what its connection actually proved at the wire. A User-Agent is a claim anyone can set; the TLS, TCP, and HTTP/2 fingerprints below are measured from the bytes. Disagreement is the classic signal of automation dressed as a browser — though VPNs, proxies, privacy tools, and shared fingerprints produce honest mismatches too, so these are leads, not verdicts. Each check scans every co-observed pairing on record (display capped at 500 per check).
Browser claim vs. tool fingerprint
A User-Agent claiming a mainstream browser, observed with a TLS ClientHello the JA4+ database identifies as a non-browser tool (curl, a C2 agent, a library). The TLS stack is far harder to forge convincingly than the User-Agent header.
| fingerprint | User-Agent | claims | wire shows | confidence | seen | first seen | last seen | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like M… | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 508 | 2026-06-11 | 2026-07-02 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 81 | 2026-06-14 | 2026-06-14 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 9 | 2026-06-16 | 2026-07-02 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… | User-Agent claims Firefox | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 6 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 6 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 14; SM-S928B) AppleW… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 6 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/… | User-Agent claims Firefox | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 6 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Firefox | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 6 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_1 like Mac… | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 6 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 6 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 6 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 10; LIO-AN00 Build/H… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 5 | 2026-06-17 | 2026-06-26 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 5 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 5 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Edge | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 5 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 5 | 2026-06-25 | 2026-06-25 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Linux; Android 11; vivo 1906; wv) A… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 4 | 2026-06-27 | 2026-06-30 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 3 | 2026-06-27 | 2026-06-30 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
high | 3 | 2026-07-01 | 2026-07-01 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
visionheight.com/scan Mozilla/5.0 (Macintosh; In… | User-Agent claims visionheight.com | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 2 | 2026-06-25 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-13 | 2026-06-13 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-13 | 2026-06-13 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; U; Linux i686; rv:19.0) Gecko/… | User-Agent claims Firefox | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-14 | 2026-06-14 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-14 | 2026-06-14 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 8.0.0; SM-G950U1) Ap… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-14 | 2026-06-14 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; U; Android 6.0; he-il; Redmi… | User-Agent claims Miui Browser | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-14 | 2026-06-14 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; Nokia 7.1) AppleW… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-14 | 2026-06-14 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-14 | 2026-06-14 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-14 | 2026-06-14 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.… | User-Agent claims Internet Explorer | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; LG-H930) AppleWeb… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; Redmi Note 4) App… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; ONEPLUS A3010) Ap… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Vers… | User-Agent claims Opera | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; SM-A600G) AppleWe… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 4.4.2; SM-T230NU Bui… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 6.0; HTC One M9 Buil… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 5.1; C6740N Build/LM… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr-fr) … | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/2… | User-Agent claims Firefox | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; SM-G950F) AppleWe… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… | User-Agent claims Firefox | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 7.0; SM-J327T1) Appl… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; moto g(6)) AppleW… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.1 … | User-Agent claims Ubuntu | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone… | User-Agent claims Internet Explorer | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-16 | 2026-06-16 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.71 … | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-18 | 2026-06-18 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-19 | 2026-06-19 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) App… | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; … | User-Agent claims Gecko | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; SM-A505F) AppleWe… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) A… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-25 | 2026-06-25 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 4.0.4; BNTV400 Build… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-26 | 2026-06-26 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; U; Android 2.3.4; en-us; BNT… | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 5.1.1; Coolpad 3622A… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) A… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5… | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) … | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; G8141) AppleWebKi… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like M… | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F) App… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-29 | 2026-06-29 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/4.0 (compatible; MSIE 7.0; Windows Phone… | User-Agent claims Internet Explorer | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-30 | 2026-06-30 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:… | User-Agent claims Firefox | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-30 | 2026-06-30 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US… | User-Agent claims KHTML, like Gecko, Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-30 | 2026-06-30 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… | User-Agent claims Opera | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-30 | 2026-06-30 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-11 | 2026-06-11 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-07-02 | 2026-07-02 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-18 | 2026-06-18 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/560.… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-13 | 2026-06-13 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/583.… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-15 | 2026-06-15 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/582.… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-18 | 2026-06-18 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0_2) Ap… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-18 | 2026-06-18 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) … | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-19 | 2026-06-19 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-19 | 2026-06-19 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-19 | 2026-06-19 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Windows NT 9_1_2; Win64; x64) Apple… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-21 | 2026-06-21 | ||||||
t13d191000_9dc949149365_e7c285222651 |
Mozilla/5.0 (Linux; Android 4.4.2; LG-V410 Build… | User-Agent claims Chrome | JA4 identified as ngrokThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-21 | 2026-06-21 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Ubuntu Chromium | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-11 | 2026-06-11 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Pr… | User-Agent claims Opera | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-11 | 2026-06-11 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) Ap… | User-Agent claims Safari | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-11 | 2026-06-11 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 7.0; Moto G (5) Plus… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-11 | 2026-06-11 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; U; Android 1.6; en-us; HTC_T… | User-Agent claims Android browser | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-11 | 2026-06-11 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) … | User-Agent claims Whale | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-12 | 2026-06-12 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; H3223) AppleWebKi… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-13 | 2026-06-13 | ||||||
t13d190900_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Linux; Android 9; Redmi Note 7) App… | User-Agent claims Chrome | JA4 identified as Sliver AgentThe TLS ClientHello is produced by the client's TLS library and is far harder to forge than a User-Agent header. This fingerprint's dominant community label is a non-browser tool, so the browser claim contradicts the wire.
|
medium | 1 | 2026-06-13 | 2026-06-13 |
Browser claim vs. measured captures
A User-Agent claiming a browser the catalog has measured, at a version inside the measured range, whose TLS fingerprint is consistent with none of this site's controlled captures of that browser. Where the check above leans on an external label, this one is grounded in measurement. The comparison is layered: a fingerprint differing from a capture only in handshake-variant extensions (session resumption, 0-RTT, session tickets, padding) counts as consistent and is not shown; a differing cipher list is the stronger lead (medium); matching ciphers with a differing extension or signature-algorithm set is weaker (low) — most often a field-trial, ECH, or build variant not yet captured. It sharpens as catalog coverage broadens.
| fingerprint | User-Agent | claims | wire shows | confidence | seen | first seen | last seen | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
t13d181300_e8a523a41297_43ade6aba3df |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Chrome 148.0.7778.96 | TLS cipher list matches no measured Chrome captureThe offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 111 | 2026-06-11 | 2026-06-15 | ||||||||||
t13d1517h2_8daaf6152771_dcad5a053991 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 71 | 2026-06-16 | 2026-07-01 | ||||||||||
t13d1715h2_5b57614c22b0_a54fffd0eb61 |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 34 | 2026-06-11 | 2026-07-01 | ||||||||||
t13d1615h2_86a278354501_a54fffd0eb61 |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 29 | 2026-06-29 | 2026-07-01 | ||||||||||
q13d0313h3_55b375c5d22e_fc7519ff7bc2 |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 29 | 2026-06-16 | 2026-07-01 | ||||||||||
q13d0315h3_55b375c5d22e_bb76f32061e3 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 27 | 2026-06-11 | 2026-06-26 | ||||||||||
t13d1715h2_5b57614c22b0_a54fffd0eb61 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 20 | 2026-06-20 | 2026-06-27 | ||||||||||
t13d1615h2_86a278354501_a54fffd0eb61 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 18 | 2026-06-11 | 2026-06-26 | ||||||||||
t13d1715h2_5b57614c22b0_a54fffd0eb61 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 18 | 2026-07-01 | 2026-07-01 | ||||||||||
q13d0315h3_55b375c5d22e_bb76f32061e3 |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 13 | 2026-06-29 | 2026-07-01 | ||||||||||
t13d1714h2_5b57614c22b0_53a6d0ab1c42 |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 12 | 2026-06-17 | 2026-07-01 | ||||||||||
t13d311200_e8f1e7e78f70_ccd0985badbe |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0… | User-Agent claims Firefox 134.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 11 | 2026-06-17 | 2026-06-19 | ||||||||||
t13d3113h1_e8f1e7e78f70_89992bd7bbd7 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… | User-Agent claims Firefox 145.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 11 | 2026-06-11 | 2026-06-29 | ||||||||||
q13d0316h3_55b375c5d22e_ef339f267f22 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 9 | 2026-06-11 | 2026-06-23 | ||||||||||
t13d1614h2_86a278354501_53a6d0ab1c42 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 9 | 2026-06-11 | 2026-06-26 | ||||||||||
t13d1312h1_f57a46bbacb6_ab7e3b40a677 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 15.7; rv:… | User-Agent claims Firefox 149.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 8 | 2026-06-12 | 2026-06-30 | ||||||||||
t13d1312h1_f57a46bbacb6_ab7e3b40a677 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 15_7_5) A… | User-Agent claims Safari 26.0 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 8 | 2026-06-28 | 2026-06-30 | ||||||||||
t13d1610h2_86a278354501_1b18b669d02d |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 7 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d311200_e8f1e7e78f70_d339722ba4af |
Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/… | User-Agent claims Firefox 142.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 7 | 2026-06-23 | 2026-07-02 | ||||||||||
t13d1312h1_f57a46bbacb6_ab7e3b40a677 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Firefox 149.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 7 | 2026-06-28 | 2026-06-30 | ||||||||||
t13d1715h2_5b57614c22b0_a54fffd0eb61 |
Mozilla/5.0 (Android 16; Mobile; rv:148.0) Gecko… | User-Agent claims Firefox 148.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 6 | 2026-06-19 | 2026-06-19 | ||||||||||
t13d131000_f57a46bbacb6_e7c285222651 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Firefox 133.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 6 | 2026-06-11 | 2026-06-30 | ||||||||||
t13d1515h1_8daaf6152771_0a20fe35d3a5 |
Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac… | User-Agent claims Safari 26.0 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 6 | 2026-06-22 | 2026-06-22 | ||||||||||
t12d180700_4b22cbed5bed_2dae41c691ec |
Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… | User-Agent claims Firefox 143.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 6 | 2026-06-19 | 2026-07-01 | ||||||||||
t13d1614h2_86a278354501_53a6d0ab1c42 |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 5 | 2026-06-29 | 2026-07-01 | ||||||||||
t13d1617h2_86a278354501_3e9721a6796e |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 5 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1616h2_86a278354501_eeeea6562960 |
Mozilla/5.0 (Android 16; Mobile; rv:152.0) Gecko… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 5 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d1312h2_a44d0ee8b3cc_e381dae6da6b |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Chrome 149.0.0.0 | TLS cipher list matches no measured Chrome captureThe offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 5 | 2026-06-23 | 2026-06-23 | ||||||||||
t13d1517h2_8daaf6152771_cb7bf5808d99 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 150.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 5 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1614h2_86a278354501_3dd24b5ebec4 |
Mozilla/5.0 (Android 16; Mobile; rv:151.0) Gecko… | User-Agent claims Firefox 151.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 5 | 2026-06-11 | 2026-06-11 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… | User-Agent claims Firefox 147.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 5 | 2026-06-17 | 2026-06-19 | ||||||||||
t13d1517h2_8daaf6152771_3cbfd9057e0d |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 5 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d1616h2_86a278354501_eeeea6562960 |
Mozilla/5.0 (Android 17; Mobile; rv:151.0) Gecko… | User-Agent claims Firefox 151.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1514h2_8daaf6152771_827b515c4f52 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-06-19 | 2026-06-23 | ||||||||||
t13d1516h2_8daaf6152771_02713d6af862 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-06-19 | 2026-06-19 | ||||||||||
t13d260900_6d1bcf7a4624_188c7f576dcd |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.0.0 | TLS cipher list matches no measured Chrome captureThe offered TLS cipher suites match no controlled capture of Chrome. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 4 | 2026-06-23 | 2026-07-01 | ||||||||||
t13d1716h2_6e7903f2cb1b_0c27189014cf |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 4 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1714h2_5b57614c22b0_53a6d0ab1c42 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1516h2_8daaf6152771_02713d6af862 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 148.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-06-16 | 2026-06-28 | ||||||||||
t13d131000_f57a46bbacb6_e7c285222651 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 4 | 2026-06-30 | 2026-06-30 | ||||||||||
t13d571400_b456ddcad344_43e0e1cab074 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 4 | 2026-06-29 | 2026-06-29 | ||||||||||
t13d1711h2_5dc684030f41_86ae21f8795b |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151… | User-Agent claims Firefox 151.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 4 | 2026-06-22 | 2026-06-22 | ||||||||||
t13d1615h2_86a278354501_ccb9c18a2635 |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 4 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1312h2_a44d0ee8b3cc_e381dae6da6b |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 3 | 2026-06-23 | 2026-06-23 | ||||||||||
t13d131100_f57a46bbacb6_ab7e3b40a677 |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Safari 26.5 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 3 | 2026-06-11 | 2026-06-20 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac… | User-Agent claims Safari 26.0 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 3 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d1511h2_8daaf6152771_b9003e5c3fb3 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 149.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 3 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1615h2_86a278354501_a54fffd0eb61 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 3 | 2026-06-25 | 2026-06-25 | ||||||||||
t13d131000_f57a46bbacb6_e7c285222651 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims Firefox 150.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 3 | 2026-06-16 | 2026-06-17 | ||||||||||
q13d0311h3_55b375c5d22e_f2a83c8e78ae |
Mozilla/5.0 (iPhone; CPU iPhone OS 26_5_0 like M… | User-Agent claims Chrome 149.0.7827.137 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 3 | 2026-06-26 | 2026-06-26 | ||||||||||
t13d151100_8daaf6152771_882d495ac381 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Chrome 148.0.0.0 | TLS extensions or signature algorithms differ from every measured Chrome captureThe cipher suites match Chrome, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 3 | 2026-06-23 | 2026-06-23 | ||||||||||
t13d1515h2_8daaf6152771_a54fffd0eb61 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||||
t13i1909h2_9dc949149365_97f8aa674fd9 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… | User-Agent claims Firefox 132.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-11 | 2026-06-12 | ||||||||||
t13d131000_f57a46bbacb6_e7c285222651 |
Mozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/… | User-Agent claims Firefox 149.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-16 | 2026-06-17 | ||||||||||
t13d1516h2_8daaf6152771_0c27189014cf |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151… | User-Agent claims Firefox 151.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-19 | 2026-06-19 | ||||||||||
t13d131000_f57a46bbacb6_e7c285222651 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Firefox 149.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-16 | 2026-06-17 | ||||||||||
t13d3012h2_1d37bd780c83_882d495ac381 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Firefox 149.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-23 | 2026-06-23 | ||||||||||
t13d131000_f57a46bbacb6_e7c285222651 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… | User-Agent claims Firefox 150.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-16 | 2026-06-17 | ||||||||||
t13d1714h1_5b57614c22b0_43ade6aba3df |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… | User-Agent claims Firefox 150.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d131000_f57a46bbacb6_e7c285222651 |
Mozilla/5.0 (X11; Linux x86_64; rv:150.0) Gecko/… | User-Agent claims Firefox 150.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-16 | 2026-06-17 | ||||||||||
t13d1312h2_a44d0ee8b3cc_e381dae6da6b |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-23 | 2026-06-23 | ||||||||||
t13d1514h2_8daaf6152771_53a6d0ab1c42 |
Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/… | User-Agent claims Firefox 151.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t12d520500_26e41e4f9c7e_22a92d800fe4 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Edge 149.0.0.0 | TLS cipher list matches no measured Edge captureThe offered TLS cipher suites match no controlled capture of Edge. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
q13d0314h3_55b375c5d22e_1ecea7cb6ec1 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… | User-Agent claims Firefox 147.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims Firefox 147.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-17 | 2026-06-17 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims Firefox 149.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-17 | 2026-06-17 | ||||||||||
t13d1715h2_5b57614c22b0_a54fffd0eb61 |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Firefox 148.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 2 | 2026-06-19 | 2026-06-19 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7_8 like M… | User-Agent claims Safari 26.0 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims Safari 26.2 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-17 | 2026-06-17 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Safari 26.3 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d0916h2_f91f431d341e_0c27189014cf |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-26 | 2026-06-26 | ||||||||||
t13d0917h2_f91f431d341e_3cbfd9057e0d |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Firefox 152.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-26 | 2026-06-26 | ||||||||||
t12d200700_22c523c4c553_2dae41c691ec |
Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… | User-Agent claims Firefox 143.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-06-19 | 2026-06-28 | ||||||||||
t13d1616h2_86a278354501_eeeea6562960 |
Mozilla/5.0 (Android 13; Mobile; rv:152.0) Gecko… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 2 | 2026-07-02 | 2026-07-02 | ||||||||||
t13d2013h2_a09f3c656075_7f0f34a4126d |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Firefox 151 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
q13d0311h3_55b375c5d22e_f2a83c8e78ae |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims Firefox 151 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d160900_1711a4c0508c_c06d14d7e8f6 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Edge 149.0.0.0 | TLS cipher list matches no measured Edge captureThe offered TLS cipher suites match no controlled capture of Edge. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-30 | 2026-06-30 | ||||||||||
t13d521100_b262b3658495_8e6e362c5eac |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Edge 149.0.0.0 | TLS cipher list matches no measured Edge captureThe offered TLS cipher suites match no controlled capture of Edge. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d251100_b78ed14e2fd0_ab7e3b40a677 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Firefox 140.8 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-16 | 2026-06-16 | ||||||||||
t13d251100_b78ed14e2fd0_ab7e3b40a677 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Firefox 140.9 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-16 | 2026-06-16 | ||||||||||
t13d2014h2_a09f3c656075_14788d8d241b |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims Safari 26.4 | TLS extensions or signature algorithms differ from every measured Safari captureThe cipher suites match Safari, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||||
t13d3612h1_018971650b2c_58ed7828516f |
Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/… | User-Agent claims Firefox 138.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-27 | 2026-06-27 | ||||||||||
t13i130900_f57a46bbacb6_e7c285222651 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-11 | 2026-06-11 | ||||||||||
t13d1714h2_5b57614c22b0_53a6d0ab1c42 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Firefox 140.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||||
t13d1312h2_a44d0ee8b3cc_e381dae6da6b |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-23 | 2026-06-23 | ||||||||||
t13d251100_b78ed14e2fd0_ab7e3b40a677 |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0… | User-Agent claims Firefox 136.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-16 | 2026-06-16 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146… | User-Agent claims Firefox 146.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-17 | 2026-06-17 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143… | User-Agent claims Firefox 143.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-16 | 2026-06-16 | ||||||||||
t12d130600_2d7513195f68_e51b7354d87f |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143… | User-Agent claims Firefox 143.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-19 | 2026-06-19 | ||||||||||
t13d1516h3_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143… | User-Agent claims Firefox 143.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-22 | 2026-06-22 | ||||||||||
t13d251100_b78ed14e2fd0_ab7e3b40a677 |
Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/… | User-Agent claims Firefox 133.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-17 | 2026-06-17 | ||||||||||
t13d1714h2_5b57614c22b0_53a6d0ab1c42 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… | User-Agent claims Firefox 147.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||||
t13d3112h2_e8f1e7e78f70_b26ce05bbdd6 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… | User-Agent claims Firefox 147.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-20 | 2026-06-20 | ||||||||||
t12i130500_2d7513195f68_e51b7354d87f |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-12 | 2026-06-12 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-17 | 2026-06-17 | ||||||||||
t13d201100_2b729b4bf6f3_36bf25f296df |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Firefox 133.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-28 | 2026-06-28 | ||||||||||
t13d131100_f57a46bbacb6_ab7e3b40a677 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Firefox 133.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-11 | 2026-06-11 | ||||||||||
t13d1816h2_e8a523a41297_0c27189014cf |
Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t12d130600_2d7513195f68_e51b7354d87f |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims Firefox 140.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-12 | 2026-06-12 | ||||||||||
t12i130500_2d7513195f68_e51b7354d87f |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0… | User-Agent claims Firefox 142.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-12 | 2026-06-12 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Firefox 148.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-17 | 2026-06-17 | ||||||||||
t13d1713h1_ab0a1bf427ad_ecd0401ec68b |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Firefox 148.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1516h2_8daaf6152771_d8a2da3f94cd |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Firefox 148.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d1616h2_86a278354501_60e8a95ece10 |
Mozilla/5.0 (X11; Linux x86_64; rv:152.0) Gecko/… | User-Agent claims Firefox 152.0 | TLS extensions or signature algorithms differ from every measured Firefox captureThe cipher suites match Firefox, but the extension set or signature algorithms differ from every capture even after normalizing handshake-variant extensions. Most likely a field-trial, ECH, or build variant the catalog has not captured; occasionally mimicry. This sharpens as catalog coverage grows.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/… | User-Agent claims Firefox 148.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-17 | 2026-06-17 | ||||||||||
t12d130600_2d7513195f68_e51b7354d87f |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:142.0… | User-Agent claims Firefox 142.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-12 | 2026-06-12 | ||||||||||
t13d311000_e8f1e7e78f70_518fb456ca59 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims Safari 26.3.1 | TLS cipher list matches no measured Safari captureThe offered TLS cipher suites match no controlled capture of Safari. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-17 | 2026-06-17 | ||||||||||
t13d1812h1_85036bcba153_b26ce05bbdd6 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137… | User-Agent claims Firefox 137.0 | TLS cipher list matches no measured Firefox captureThe offered TLS cipher suites match no controlled capture of Firefox. Cipher lists are very stable per browser, so a different one is a real inconsistency — though a TLS-inspecting proxy re-originating the handshake is an honest cause, which holds this at medium.
|
medium | 1 | 2026-06-18 | 2026-06-18 |
OS claim vs. TCP stack
A User-Agent's claimed operating system against the initial TTL of its TCP SYN. An initial TTL of 64 is Unix-like (Linux, macOS, iOS, Android, BSD); 128 is Windows. A "Windows" User-Agent arriving on a TTL-64 stack — or vice versa — is inconsistent, subject to the proxy/NAT caveats above.
| fingerprint | User-Agent | claims | wire shows | confidence | seen | first seen | last seen | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 163 | 2026-06-11 | 2026-06-22 | ||||||||
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) … | User-Agent claims macOS | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 60 | 2026-06-13 | 2026-07-02 | ||||||||
4:43+21:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 57 | 2026-07-01 | 2026-07-02 | ||||||||
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 57 | 2026-07-01 | 2026-07-02 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 55 | 2026-06-11 | 2026-06-15 | ||||||||
4:118+10:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 42 | 2026-06-12 | 2026-06-13 | ||||||||
4:46+18:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 36 | 2026-06-14 | 2026-06-14 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 11; moto g power (20… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 30 | 2026-06-25 | 2026-07-01 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 28 | 2026-06-25 | 2026-06-29 | ||||||||
4:53+11:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 26 | 2026-06-11 | 2026-06-17 | ||||||||
4:115+13:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 26 | 2026-06-11 | 2026-06-22 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 23 | 2026-06-30 | 2026-06-30 | ||||||||
6:47+17:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 20 | 2026-06-27 | 2026-06-28 | ||||||||
4:46+18:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 20 | 2026-06-11 | 2026-06-23 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 20 | 2026-06-30 | 2026-06-30 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 19 | 2026-06-30 | 2026-06-30 | ||||||||
4:42+22:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 19 | 2026-06-14 | 2026-06-14 | ||||||||
6:48+16:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 19 | 2026-06-27 | 2026-06-28 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 18 | 2026-06-30 | 2026-06-30 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 17 | 2026-06-30 | 2026-06-30 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 16 | 2026-06-30 | 2026-06-30 | ||||||||
4:115+13:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 11; moto g power (20… | User-Agent claims Android | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 15 | 2026-06-11 | 2026-06-22 | ||||||||
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 14 | 2026-06-11 | 2026-06-13 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 13 | 2026-06-30 | 2026-06-30 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 13 | 2026-06-30 | 2026-06-30 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 13 | 2026-06-30 | 2026-06-30 | ||||||||
4:53+11:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 12 | 2026-06-11 | 2026-06-23 | ||||||||
4:50+14:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 11 | 2026-07-01 | 2026-07-02 | ||||||||
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 11 | 2026-06-19 | 2026-06-19 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 10 | 2026-06-11 | 2026-06-15 | ||||||||
6:46+18:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 10 | 2026-06-27 | 2026-06-28 | ||||||||
4:112+16:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 11; moto g power (20… | User-Agent claims Android | TCP SYN initial TTL 112+16 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 10 | 2026-06-11 | 2026-06-22 | ||||||||
4:51+13:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 10 | 2026-06-15 | 2026-06-15 | ||||||||
4:48+16:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 10 | 2026-07-02 | 2026-07-02 | ||||||||
4:43+21:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 10 | 2026-06-23 | 2026-06-23 | ||||||||
4:47+17:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 9 | 2026-06-19 | 2026-06-19 | ||||||||
6:51+13:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 9 | 2026-06-27 | 2026-06-28 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 9 | 2026-06-11 | 2026-06-22 | ||||||||
4:118+10:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 9 | 2026-06-12 | 2026-06-18 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 11; moto g power (20… | User-Agent claims Android | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 9 | 2026-06-17 | 2026-06-21 | ||||||||
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 11; moto g power (20… | User-Agent claims Android | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 9 | 2026-06-17 | 2026-06-17 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 9 | 2026-06-26 | 2026-06-27 | ||||||||
4:112+16:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 112+16 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 9 | 2026-06-11 | 2026-06-22 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 8 | 2026-06-20 | 2026-06-20 | ||||||||
4:46+18:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 8 | 2026-06-15 | 2026-06-15 | ||||||||
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 8 | 2026-06-11 | 2026-06-17 | ||||||||
4:40+24:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 40+24 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 8 | 2026-06-14 | 2026-06-14 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 8 | 2026-07-01 | 2026-07-02 | ||||||||
4:56+8:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 8 | 2026-06-25 | 2026-06-29 | ||||||||
4:50+14:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 7 | 2026-06-11 | 2026-06-22 | ||||||||
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 7 | 2026-06-25 | 2026-06-30 | ||||||||
4:41+23:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 7 | 2026-06-14 | 2026-06-14 | ||||||||
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 7 | 2026-06-25 | 2026-06-30 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 7 | 2026-06-22 | 2026-06-22 | ||||||||
4:52+12:0:1420:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 7 | 2026-06-23 | 2026-06-23 | ||||||||
4:118+10:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-06-21 | 2026-06-21 | ||||||||
4:51+13:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-07-01 | 2026-07-02 | ||||||||
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/5… | User-Agent claims Android | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-06-16 | 2026-06-16 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-06-27 | 2026-07-02 | ||||||||
4:117+11:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … | User-Agent claims macOS | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-07-01 | 2026-07-01 | ||||||||
4:51+13:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-06-30 | 2026-06-30 | ||||||||
6:44+20:0:1360:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-06-27 | 2026-06-27 | ||||||||
4:51+13:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-06-19 | 2026-06-23 | ||||||||
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Android 16; Mobile; rv:148.0) Gecko… | User-Agent claims Android | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 6 | 2026-06-19 | 2026-06-19 | ||||||||
4:53+11:0:1460:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWe… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-06-29 | 2026-06-29 | ||||||||
6:55+9:0:1392:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-07-01 | 2026-07-01 | ||||||||
4:41+23:0:1460:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-07-02 | 2026-07-02 | ||||||||
6:45+19:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-06-27 | 2026-06-28 | ||||||||
4:57+7:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 57+7 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-07-01 | 2026-07-02 | ||||||||
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-06-25 | 2026-06-25 | ||||||||
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-06-25 | 2026-06-25 | ||||||||
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-06-25 | 2026-06-25 | ||||||||
4:48+16:0:9174:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 5 | 2026-06-16 | 2026-06-23 | ||||||||
4:40+24:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 40+24 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-11 | 2026-06-19 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-13 | 2026-06-13 | ||||||||
4:48+16:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-13 | 2026-06-17 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-11 | 2026-06-29 | ||||||||
6:53+11:0:1376:8192,2:mss,nop,ws,nop,nop,sok::0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-07-02 | 2026-07-02 | ||||||||
4:52+12:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-19 | 2026-06-19 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-17 | 2026-06-27 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-23 | 2026-06-23 | ||||||||
4:119+9:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 119+9 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-11 | 2026-06-28 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-13 | 2026-06-18 | ||||||||
4:51+13:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-07-02 | 2026-07-02 | ||||||||
4:51+13:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-25 | 2026-07-02 | ||||||||
4:49+15:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-22 | 2026-06-22 | ||||||||
4:53+11:0:1200:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-20 | 2026-06-26 | ||||||||
6:43+21:0:1440:mss*30,9:mss,nop,nop,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 4 | 2026-06-27 | 2026-06-27 | ||||||||
4:52+12:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-11 | 2026-06-25 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-25 | 2026-06-25 | ||||||||
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-12 | 2026-06-21 | ||||||||
4:50+14:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-18 | 2026-06-18 | ||||||||
4:52+12:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-28 | 2026-07-01 | ||||||||
6:46+18:0:1432:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-14 | 2026-06-21 | ||||||||
4:54+10:0:1452:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:45+19:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-16 | 2026-06-22 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-12 | 2026-06-13 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-11 | 2026-06-11 | ||||||||
4:54+10:0:1460:65535,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-19 | 2026-06-19 | ||||||||
6:47+17:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-28 | 2026-07-01 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-11 | 2026-06-29 | ||||||||
4:49+15:0:1460:65535,6:mss,nop,ws,nop,nop,ts,sok,eol+1:df,ecn:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:39+25:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 39+25 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-14 | 2026-06-14 | ||||||||
4:51+13:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-12 | 2026-06-27 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 11.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-23 | 2026-06-23 | ||||||||
4:54+10:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-23 | 2026-06-23 | ||||||||
4:47+17:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:43+21:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-23 | 2026-06-23 | ||||||||
4:52+12:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-23 | 2026-06-23 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-11 | 2026-06-11 | ||||||||
4:46+18:0:1460:35844,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-22 | 2026-06-22 | ||||||||
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-18 | 2026-06-18 | ||||||||
4:50+14:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-23 | 2026-06-23 | ||||||||
4:46+18:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-19 | 2026-06-19 | ||||||||
4:49+15:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-30 | 2026-06-30 | ||||||||
4:117+11:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-17 | 2026-06-17 | ||||||||
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-02 | 2026-07-02 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-16 | 2026-06-21 | ||||||||
4:45+19:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-16 | 2026-06-22 | ||||||||
4:44+20:0:1360:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-29 | 2026-06-29 | ||||||||
4:54+10:0:1410:mss*30,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-29 | 2026-06-29 | ||||||||
4:51+13:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-20 | 2026-06-20 | ||||||||
4:55+9:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-29 | 2026-06-29 | ||||||||
4:51+13:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-30 | 2026-06-30 | ||||||||
4:51+13:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-29 | 2026-06-29 | ||||||||
4:46+18:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-14 | 2026-06-14 | ||||||||
4:56+8:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-29 | 2026-06-29 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-17 | 2026-07-01 | ||||||||
4:56+8:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-26 | 2026-06-30 | ||||||||
4:119+9:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7_8 like M… | User-Agent claims iOS | TCP SYN initial TTL 119+9 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
6:48+16:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-27 | 2026-06-27 | ||||||||
4:39+25:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 39+25 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-19 | 2026-06-22 | ||||||||
4:47+17:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-14 | 2026-06-14 | ||||||||
6:51+13:0:1440:mss*30,9:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-26 | 2026-06-26 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-02 | 2026-07-02 | ||||||||
4:49+15:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-26 | 2026-06-26 | ||||||||
4:47+17:0:1420:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-19 | 2026-06-19 | ||||||||
6:56+8:0:1440:mss*30,9:mss,nop,nop,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-26 | 2026-06-26 | ||||||||
4:56+8:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-26 | 2026-06-26 | ||||||||
4:54+10:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-02 | 2026-07-02 | ||||||||
4:52+12:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-26 | 2026-06-26 | ||||||||
4:44+20:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-26 | 2026-06-26 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-07-01 | 2026-07-01 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-21 | 2026-06-22 | ||||||||
4:45+19:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
medium | 3 | 2026-06-25 | 2026-06-25 | ||||||||
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-16 | ||||||||
4:112+16:0:1344:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 112+16 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-17 | 2026-06-17 | ||||||||
4:55+9:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-20 | 2026-06-20 | ||||||||
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-17 | ||||||||
4:113+15:0:1424:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims macOS | TCP SYN initial TTL 113+15 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-27 | ||||||||
4:51+13:0:1460:mss*29,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-22 | ||||||||
4:115+13:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-17 | 2026-06-17 | ||||||||
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-17 | ||||||||
4:112+16:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM … | User-Agent claims Android | TCP SYN initial TTL 112+16 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-11 | 2026-06-11 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-12 | 2026-06-13 | ||||||||
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-17 | ||||||||
4:42+22:0:1380:65535,14:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-19 | ||||||||
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac… | User-Agent claims iOS | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-19 | ||||||||
4:56+8:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-19 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-18 | 2026-06-27 | ||||||||
4:114+14:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 11; moto g power (20… | User-Agent claims Android | TCP SYN initial TTL 114+14 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-22 | 2026-06-22 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-13 | 2026-06-13 | ||||||||
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-19 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-30 | ||||||||
4:44+20:0:1380:65535,14:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-19 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-16 | ||||||||
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||
4:47+17:0:1460:65535,14:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-19 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-11 | 2026-06-12 | ||||||||
4:50+14:0:1340:mtu*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-14 | 2026-06-19 | ||||||||
4:52+12:0:1460:mss*44,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-23 | 2026-06-30 | ||||||||
4:51+13:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-19 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Bu… | User-Agent claims Android | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-23 | 2026-06-23 | ||||||||
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-21 | 2026-06-25 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-20 | 2026-06-20 | ||||||||
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/… | User-Agent claims Android | TCP SYN initial TTL 113+15 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-12 | 2026-06-14 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-20 | 2026-06-20 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-23 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-13 | 2026-06-18 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-12 | 2026-06-12 | ||||||||
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-17 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-17 | 2026-06-17 | ||||||||
4:53+11:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-11 | 2026-06-11 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-23 | 2026-06-23 | ||||||||
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-17 | ||||||||
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-17 | ||||||||
4:52+12:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-17 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-16 | 2026-06-16 | ||||||||
4:109+19:0:1400:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 109+19 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-19 | 2026-06-19 | ||||||||
6:42+22:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-26 | 2026-06-26 | ||||||||
4:50+14:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-25 | 2026-06-25 | ||||||||
4:56+8:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-25 | 2026-06-25 | ||||||||
4:54+10:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-26 | 2026-06-26 | ||||||||
6:46+18:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-27 | 2026-06-27 | ||||||||
6:47+17:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-27 | 2026-06-27 | ||||||||
4:53+11:0:8960:mss*7,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-27 | 2026-06-27 | ||||||||
6:48+16:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-28 | 2026-06-28 | ||||||||
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-28 | 2026-06-28 | ||||||||
6:50+14:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-28 | 2026-06-28 | ||||||||
4:54+10:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||
4:44+20:0:1440:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||
4:57+7:0:1360:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 57+7 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Android 13; Mobile; rv:109.0) Gecko… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Bu… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||
4:46+18:0:1380:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||
4:52+12:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:54+10:0:1131:65535,9:mss,nop,ws,sok,ts:df:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-29 | 2026-06-29 | ||||||||
6:51+13:0:1440:65535,7:mss,nop,nop,sok,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-30 | 2026-06-30 | ||||||||
4:45+19:0:1460:mss*29,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-30 | 2026-06-30 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:51+13:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:41+23:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/2010… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:115+13:0:1460:mss*44,9:mss,nop,nop,sok,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; trendi… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-02 | ||||||||
4:47+17:0:1380:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:114+14:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … | User-Agent claims macOS | TCP SYN initial TTL 114+14 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:45+19:0:1452:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:109+19:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) … | User-Agent claims macOS | TCP SYN initial TTL 109+19 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-02 | ||||||||
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) … | User-Agent claims macOS | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1380:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-01 | ||||||||
4:55+9:0:1410:mss*46,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-02 | 2026-07-02 | ||||||||
4:48+16:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-02 | 2026-07-02 | ||||||||
4:121+7:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 121+7 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-02 | ||||||||
4:49+15:0:1460:mss*29,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-06-26 | 2026-07-02 | ||||||||
4:53+11:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 2 | 2026-07-01 | 2026-07-02 | ||||||||
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:8960:mss*7,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:111+17:0:1360:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) … | User-Agent claims macOS | TCP SYN initial TTL 111+17 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-18 | 2026-06-18 | ||||||||
4:56+8:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:114+14:0:1412:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (iPhone; CPU iPhone OS 13_2_3 like M… | User-Agent claims iOS | TCP SYN initial TTL 114+14 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-22 | 2026-06-22 | ||||||||
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:53+11:0:1354:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:40+24:0:1412:mss*1,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 40+24 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:54+10:0:1460:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:61+3:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 61+3 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:50+14:0:1460:65535,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
6:49+15:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:53+11:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:53+11:0:1420:65535,0:mss,sok,ts:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-18 | 2026-06-18 | ||||||||
4:46+18:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:44+20:0:1460:mss*1,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:117+11:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-22 | 2026-06-22 | ||||||||
4:45+19:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:114+14:0:1360:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 114+14 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:53+11:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-13 | 2026-06-13 | ||||||||
6:45+19:0:1440:65535,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:52+12:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:117+11:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | User-Agent claims Android | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:52+12:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:41+23:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:49+15:0:1460:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:120+8:0:1436:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/… | User-Agent claims Android | TCP SYN initial TTL 120+8 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-22 | 2026-06-22 | ||||||||
6:43+21:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-30 | 2026-06-30 | ||||||||
4:41+23:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
6:51+13:0:1440:mss*45,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:55+9:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:115+13:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/5… | User-Agent claims Android | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:45+19:0:1380:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:43+21:0:1460:mss*1,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:110+18:0:1360:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:112+16:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 112+16 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-15 | 2026-06-15 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:53+11:0:1460:mss*22,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:47+17:0:1460:mss*44,7:mss,nop,nop,sok,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 12_5) App… | User-Agent claims macOS | TCP SYN initial TTL 113+15 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:49+15:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-15 | 2026-06-15 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; rv:108.0) Gecko/20… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:42+22:0:1460:mss*22,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-13 | 2026-06-13 | ||||||||
4:53+11:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:41+23:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-13 | 2026-06-13 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:56+8:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:50+14:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:116+12:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:41+23:0:1412:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 9_1_2; Win64; x64) Apple… | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-21 | 2026-06-21 | ||||||||
4:45+19:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-21 | 2026-06-21 | ||||||||
4:38+26:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 38+26 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:50+14:0:1452:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:51+13:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-21 | 2026-06-21 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-21 | 2026-06-21 | ||||||||
4:50+14:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-22 | 2026-06-22 | ||||||||
4:112+16:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 112+16 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Linux; Android 4.4.2; LG-V410 Build… | User-Agent claims Android | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-21 | 2026-06-21 | ||||||||
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 113+15 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
4:51+13:0:1440:mss*45,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Geck… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:55+9:0:1460:26883,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:53+11:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:50+14:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-22 | 2026-06-22 | ||||||||
4:49+15:0:1460:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR) … | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:40+24:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 40+24 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-13 | 2026-06-13 | ||||||||
4:112+16:0:1412:65535,8:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 112+16 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:48+16:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:104+24:0:1400:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 104+24 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.2; rv:20.0) Gecko/2012… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:115+13:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-21 | 2026-06-21 | ||||||||
6:42+22:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-02 | 2026-07-02 | ||||||||
4:51+13:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:57+7:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147… | User-Agent claims Windows | TCP SYN initial TTL 57+7 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:48+16:0:1460:65535,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-22 | 2026-06-22 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:44+20:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-18 | 2026-06-18 | ||||||||
4:53+11:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.2 (… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-15 | 2026-06-15 | ||||||||
4:45+19:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:51+13:0:1380:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
4:48+16:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:46+18:0:1410:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0.0; Win64; x64; ) Ap… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:56+8:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:53+11:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-18 | 2026-06-18 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-30 | 2026-06-30 | ||||||||
4:40+24:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 40+24 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-18 | 2026-06-18 | ||||||||
4:51+13:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-21 | 2026-06-21 | ||||||||
4:54+10:0:1420:mss*30,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; rv:140.0) Gecko/20… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:52+12:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-15 | 2026-06-15 | ||||||||
4:113+15:0:1460:65535,1:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 113+15 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 113+15 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:114+14:0:1358:64446,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims macOS | TCP SYN initial TTL 114+14 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:113+15:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 113+15 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:56+8:0:1460:mss*30,12:mss,sok,ts,nop,ws:df,id+,ts2+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:56+8:0:1460:mss*30,12:mss,sok,ts,nop,ws:df,id+,ts2+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:111+17:0:1440:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) … | User-Agent claims macOS | TCP SYN initial TTL 111+17 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
6:43+21:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:51+13:0:1360:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:56+8:0:1460:mss*30,12:mss,sok,ts,nop,ws:df,id+,ts2+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:150… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:119+9:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Linux; Android 11; DN2101) AppleWeb… | User-Agent claims Android | TCP SYN initial TTL 119+9 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:56+8:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:44+20:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:57+7:0:1460:mss*44,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 57+7 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:45+19:0:1440:65535,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:117+11:0:1412:65535,8:mss,nop,ws,sok,ts:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7; … | User-Agent claims macOS | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:55+9:0:1440:mss*30,9:mss,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; rv:110.0) Gecko/20… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:44+20:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
6:45+19:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
6:46+18:0:1220:mtu*19,7:mss,sok,ts,nop,ws::0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:38+26:0:1436:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 38+26 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-18 | 2026-06-18 | ||||||||
4:44+20:0:1380:mss*47,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
6:52+12:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:56+8:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 56+8 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:40+24:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 40+24 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:58+6:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; … | User-Agent claims Windows | TCP SYN initial TTL 58+6 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:47+17:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-25 | 2026-06-25 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:45+19:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-17 | 2026-06-17 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:110+18:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like M… | User-Agent claims iOS | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-22 | 2026-06-22 | ||||||||
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
6:46+18:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:57+7:0:1460:65535,8:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 57+7 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:46+18:0:1460:65535,7:mss,nop,nop,sok,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) … | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gec… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-18 | 2026-06-18 | ||||||||
6:49+15:0:1380:65535,7:mss,nop,nop,sok,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) … | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:109+19:0:1436:mss*45,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac… | User-Agent claims iOS | TCP SYN initial TTL 109+19 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-30 | 2026-06-30 | ||||||||
4:46+18:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:115+13:0:1424:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv… | User-Agent claims macOS | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:52+12:0:1420:mss*46,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-12 | 2026-06-12 | ||||||||
4:50+14:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-16 | 2026-06-16 | ||||||||
4:120+8:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Linux; Android 13; SM-A037U) AppleW… | User-Agent claims Android | TCP SYN initial TTL 120+8 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:117+11:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (X11; Debian; Linux x86_64; rv:145.0… | User-Agent claims Linux | TCP SYN initial TTL 117+11 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-22 | 2026-06-22 | ||||||||
4:51+13:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:49+15:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:48+16:0:1460:65535,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/201… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:43+21:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:55+9:0:1350:mss*48,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:120+8:0:1460:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 120+8 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:53+11:0:1452:mss*44,1:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:51+13:0:1200:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:55+9:0:1460:26883,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:54+10:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; rv:143.0) G… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:47+17:0:1440:mss*45,7:mss,nop,nop,sok,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:50+14:0:1460:mss*44,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:49+15:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:49+15:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:49+15:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:49+15:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-26 | 2026-06-26 | ||||||||
4:45+19:0:1460:mss*29,9:mss,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) … | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-30 | 2026-06-30 | ||||||||
4:110+18:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+,ecn:0 |
Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/… | User-Agent claims Linux | TCP SYN initial TTL 110+18 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-15 | 2026-06-15 | ||||||||
4:118+10:0:1460:62727,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Linux; Android 16; SM-S921U) AppleW… | User-Agent claims Android | TCP SYN initial TTL 118+10 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-21 | 2026-06-21 | ||||||||
4:43+21:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:54+10:0:1460:mss*29,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-02 | 2026-07-02 | ||||||||
6:47+17:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:48+16:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:101+27:0:1420:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7; … | User-Agent claims macOS | TCP SYN initial TTL 101+27 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:41+23:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 41+23 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
6:49+15:0:1440:mss*42,14:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:49+15:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:43+21:0:1399:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:115+13:0:1460:mss*44,6:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 115+13 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-20 | 2026-06-20 | ||||||||
6:113+15:0:1440:65535,8:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.… | User-Agent claims Linux | TCP SYN initial TTL 113+15 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:54+10:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:44+20:0:1440:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 44+20 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:49+15:0:1340:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:54+10:0:1330:mss*49,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-27 | 2026-06-27 | ||||||||
4:53+11:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-11 | 2026-06-11 | ||||||||
4:53+11:0:1400:65535,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-30 | 2026-06-30 | ||||||||
6:49+15:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:49+15:0:1340:mss*44,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:48+16:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:47+17:0:1400:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:47+17:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:50+14:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:50+14:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:48+16:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:47+17:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:52+12:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:49+15:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:53+11:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:48+16:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
6:54+10:0:1390:mss*47,8:mss,nop,ws,nop,nop,sok:flow:0 |
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:51+13:0:1460:mss*29,9:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 51+13 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:55+9:0:1460:26883,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-28 | 2026-06-28 | ||||||||
4:43+21:0:1400:mss*20,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 … | User-Agent claims Windows | TCP SYN initial TTL 43+21 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-14 | 2026-06-14 | ||||||||
4:46+18:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:58+6:0:1420:mss*46,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 58+6 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:116+12:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Linux; Android 10; x86) AppleWebKit… | User-Agent claims Android | TCP SYN initial TTL 116+12 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:49+15:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWe… | User-Agent claims Windows | TCP SYN initial TTL 49+15 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-19 | 2026-06-19 | ||||||||
4:52+12:0:1460:65535,6:mss,nop,ws,sok,ts:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 52+12 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:55+9:0:1460:26883,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0;… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:50+14:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:54+10:0:1452:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 54+10 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:50+14:0:1460:mss*29,12:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:111+17:0:1400:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 111+17 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:55+9:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/5… | User-Agent claims Windows | TCP SYN initial TTL 55+9 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:50+14:0:1460:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 50+14 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:114+14:0:1380:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 114+14 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:111+17:0:1460:65535,8:mss,nop,ws,nop,nop,sok:df,id+:0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) … | User-Agent claims macOS | TCP SYN initial TTL 111+17 indicates WindowsThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
6:48+16:0:1440:mss*45,7:mss,sok,ts,nop,ws:flow:0 |
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/2010… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:47+17:0:1460:mss*44,11:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128… | User-Agent claims Windows | TCP SYN initial TTL 47+17 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:48+16:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.… | User-Agent claims Windows | TCP SYN initial TTL 48+16 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 | ||||||||
4:53+11:0:1460:65535,13:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140… | User-Agent claims Windows | TCP SYN initial TTL 53+11 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-23 | 2026-06-23 | ||||||||
4:46+18:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:45+19:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:45+19:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126… | User-Agent claims Windows | TCP SYN initial TTL 45+19 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:46+18:0:1440:mss*44,10:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 46+18 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-07-01 | 2026-07-01 | ||||||||
4:42+22:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleW… | User-Agent claims Windows | TCP SYN initial TTL 42+22 indicates Unix-likeThe initial TTL is set by the sending kernel (64 on Unix-like systems, 128 on Windows) and survives NAT. But VPNs, proxies and tunnels legitimately replace the sending stack, so this check never exceeds medium confidence.
|
low | 1 | 2026-06-29 | 2026-06-29 |
Bot claim vs. published operator ranges
A User-Agent declaring a major bot — a search or AI crawler or a user-triggered fetcher — observed from an IP outside the ranges that operator publishes for it, or inside a different operator's ranges. Unlike the checks above, this is not a wire-vs-claim contradiction: it is the self-declared identity against the operator's own authoritative published list. An IP the operator does not list, arriving under its bot's name, is almost always an impersonator — scrapers spoof crawlers to dodge rate limits and earn crawler treatment. The consistent side (an IP inside the published range) appears as a "published range match" on the fingerprint page, not here.
| User-Agent | claims | from network | published ranges show | confidence | seen | first seen | last seen | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla/5.0 (compatible; Googlebot/2.1; +http://… | Googlebot | AS396982 Google LLC | Outside Googlebot's published rangesThis User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.
|
medium | 3 | 2026-06-27 | 2026-06-29 | ||||||
| Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Geck… | Googlebot | AS39603 P4 Sp. z o.o. | Outside Googlebot's published rangesThis User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.
|
high | 1 | 2026-06-30 | 2026-06-30 | ||||||
| Mozilla/5.0 (compatible; Googlebot/2.1; +http://… | Googlebot | AS212238 Datacamp Limited | Outside Googlebot's published rangesThis User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.
|
high | 1 | 2026-06-25 | 2026-06-25 | ||||||
| Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | Googlebot | AS24940 Hetzner Online GmbH | Outside Googlebot's published rangesThis User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.
|
high | 1 | 2026-07-01 | 2026-07-01 | ||||||
| Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Buil… | Googlebot | AS20278 Nexeon Technologies, Inc. | Outside Googlebot's published rangesThis User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.
|
high | 1 | 2026-07-01 | 2026-07-01 | ||||||
| Mozilla/5.0 (compatible; Googlebot/2.1; +http://… | Googlebot | AS8075 Microsoft Corporation | Outside Googlebot's published rangesThis User-Agent claims Googlebot, but the connection's IP is outside the ranges Googlebot publishes for its crawler. The operator's own published list is the authority on which IPs are Googlebot, so an IP outside it is almost always an impersonator — honest exceptions (a brand-new range not yet in our snapshot, or a proxy relaying a real fetch) are rare.
|
high | 1 | 2026-06-26 | 2026-06-26 |