From owner-freebsd-net@freebsd.org  Sat Mar 24 17:47:58 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DFCBDF5F7C8
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sat, 24 Mar 2018 17:47:58 +0000 (UTC)
 (envelope-from jamie@catflap.org)
Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net
 [IPv6:2001:19f0:300:2185:a:dead:bad:faff])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 930C076E90
 for <freebsd-net@freebsd.org>; Sat, 24 Mar 2018 17:47:58 +0000 (UTC)
 (envelope-from jamie@catflap.org)
Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net
 [104.207.135.49])
 by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id w2OHlujg069760; 
 Sat, 24 Mar 2018 17:47:57 GMT
 (envelope-from jamie@donotpassgo.dyslexicfish.net)
Received: (from jamie@localhost)
 by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id w2OHlupR069759;
 Sat, 24 Mar 2018 17:47:56 GMT (envelope-from jamie)
From: Jamie Landeg-Jones <jamie@catflap.org>
Message-Id: <201803241747.w2OHlupR069759@donotpassgo.dyslexicfish.net>
Date: Sat, 24 Mar 2018 17:47:56 +0000
Organization: Dyslexic Fish
To: rfg@tristatelogic.com, freebsd-net@freebsd.org
Subject: Re: Same host or different? How can you tell "over the wire"?
References: <10556.1521752491@segfault.tristatelogic.com>
In-Reply-To: <10556.1521752491@segfault.tristatelogic.com>
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7
 (donotpassgo.dyslexicfish.net [104.207.135.49]);
 Sat, 24 Mar 2018 17:47:57 +0000 (GMT)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 17:47:59 -0000

Have you thought of examining the TCP timestamp field? Not necessarily for accurate uptime, but a way to determine if the hosts are the same.

Or some of the other fingerprinting methods? nmap has options for uptime and other fingerprinting : https://nmap.org/book/osdetect-usage.html

Of course, all this assumes the hosts are connected directly without any load balancing or some sort of firewall/proxy that fiddles with the packet data...

cheers, Jamie