Not if it is cloned and/or spoofed.
If. D But, you are right.
I also saw a study somewhere about ICMP sequence number distribution.
Someone did a study on sequence number, where it was plotted and they could guess the OS, because of the pseudo-randomness of the sequence numbers - which seem to be unique to the OS.
Anyone recall that?
There is a SANS article about using sing to do that
Still would have to use a variety of methods and tools to dig through the packet routes to give an educated guess about the OS.
If you find you have enough Red Bull and freetime
You might want to look into MS RPC. I think TCP can also give away the OS unless system registry has been set to prevent it from doing so.
Nessus is a powerful scanner to enumerate security information. You can only scan a live system thus not a packet capture. It might help understand what's going on in the capture though. I recommend using it with VMware server 2 which is free. Install something like windows xp sp2 because it won't have all the sp3 security patches applied, turn the firewall off and scan it. Nmap is mainly for scanning networks.
You can install Nessus in backtrack which contains a whole load of pen testing tools.
another good option is to use Passive OS Fingerprint" or "pOf"
here's the link to the project http//
p.s.
while googling to find that page, found this entry at wikipedia http//
might be a good place to start looking at…