former QueSO home page <URL:http://www.apostols.org/projectz/queso/>:

How we can determine the remote OS using simple TCP packets?  Well,
it's easy, they're packets that don't make any sense, so the RFCs
don't clearly state what to answer in these kind of situations.
Facing this ambiguous, each TCP/IP stack takes a different approach
to the problem, and this way, we get a different response.  In some
cases (like Linux, to name one) some programming mistakes make the OS
detectable.

QueSO sends:

        0 SYN           * THIS IS VALID, used to verify LISTEN
        1 SYN+ACK
        2 FIN
        3 FIN+ACK
        4 SYN+FIN
        5 PSH
        6 SYN+XXX+YYY   * XXX & YYY are unused TCP flags

All packets have a random seq_num and a 0x0 ack_num.