-O This option activates remote host identification via TCP/IP fin-
gerprinting. In other words, it uses a bunch of techniques to
detect subtleties in the underlying operating system network
stack of the computers you are scanning. It uses this informa-
tion to create a 'fingerprint' which it compares with its
database of known OS fingerprints (the nmap-os-fingerprints
file) to decide what type of system you are scanning.

If Nmap is unable to guess the OS of a machine, and conditions
are good (eg at least one open port), Nmap will provide a URL
you can use to submit the fingerprint if you know (for sure) the
OS running on the machine. By doing this you contribute to the
pool of operating systems known to nmap and thus it will be more
accurate for everyone. Note that if you leave an IP address on
the form, the machine may be scanned when we add the fingerprint
(to validate that it works).

The -O option also enables several other tests. One is the
"Uptime" measurement, which uses the TCP timestamp option (RFC
1323) to guess when a machine was last rebooted. This is only
reported for machines which provide this information.

Another test enabled by -O is TCP Sequence Predictability Clas-
sification. This is a measure that describes approximately how
hard it is to establish a forged TCP connection against the
remote host. This is useful for exploiting source-IP based
trust relationships (rlogin, firewall filters, etc) or for hid-
ing the source of an attack. The actual difficulty number is
based on statistical sampling and may fluctuate. It is gener-
ally better to use the English classification such as "worthy
challenge" or "trivial joke". This is only reported in normal
output with -v.

When verbose mode (-v) is on with -O, IPID Sequence Generation
is also reported. Most machines are in the "incremental" class,
which means that they increment the "ID" field in the IP header
for each packet they send. This makes them vulnerable to sev-
eral advanced information gathering and spoofing attacks.