Skip to main content

Learn / TCP/IP

What is TCP/IP fingerprinting?

A method of identifying clients by inspecting low-level packet and network-stack behavior.

Layer
Network transport and operating system stack behavior
Visible to
The destination server or any device observing the network path
Why it matters
It can classify the client before browser-side code ever runs

The basics

TCP/IP fingerprinting looks beneath the browser and into the networking stack carrying the request.

Every web request depends on lower-level network protocols before a page can load. Those protocols expose defaults and implementation details such as packet sizes, initial TTL values, option ordering, and window behavior. Taken together, those traits can reveal what kind of system is generating the traffic.

That is the basis of TCP/IP fingerprinting. Instead of asking the browser to reveal information through JavaScript, a server or passive observer measures how the underlying client stack behaves on the network. Those measurements can help infer operating system family, client implementation, or whether the traffic looks unusual for the browser it claims to be.

On its own, a TCP/IP signature is not always enough to identify a person or device uniquely. It becomes much more useful when it is combined with TLS, HTTP headers, and browser-side fingerprints collected from the same request path.

How it works

The identifying signal is present before the page experience even begins.

  • 1. The client opens a network connection

    Before the browser can request a page, the underlying device and network stack establish a TCP connection with packet fields that reflect local defaults and implementation choices.

  • 2. The destination observes low-level packet traits

    A server or network appliance can inspect initial TTL, MSS, window size, flags, and option ordering to infer what kind of client stack originated the traffic.

  • 3. The pattern is compared to known client families

    Different operating systems, kernels, and networking libraries tend to produce recognizable TCP/IP signatures, which makes it possible to classify traffic before application logic runs.

  • 4. The result is used with higher-layer signals

    TCP/IP fingerprints are rarely used alone. They become more useful when correlated with TLS, HTTP, and browser-side measurements collected on the same request flow.

Why it matters

It is useful because it helps classify traffic at a layer most users never think about.

  • It exists below the browser UI

    TCP/IP fingerprinting does not depend on a visible script or browser setting. It comes from the networking stack that carries the request in the first place.

  • It helps validate other signals

    If a request claims to be a normal browser but the packet behavior looks unusual, anti-abuse systems can treat that mismatch as a risk signal.

  • It survives many common privacy habits

    Clearing cookies or using a private window does not change the native network stack characteristics that TCP/IP fingerprinting relies on.

This is one reason privacy tooling that only changes browser settings or cookies leaves a lot of exposure untouched. The lower network layers may still look the same from one session to the next.

How 404 addresses it

404 helps break the link to your native network signature by keeping the destination from seeing your device stack directly.

TCP/IP fingerprinting matters because it sits below the browser layer that most privacy tooling focuses on. 404 reduces direct linkability by mediating how requests reach the destination, which helps prevent sites from relying on your machine's original low-level network signature as part of the fingerprint.

As with every other layer, the point is not to promise invisibility. It is to remove one more stable input from the classifier and make cross-session correlation less dependable.

See pricing How 404 works

Further reading

If you want the network-layer background, start here.