1 | initial version |
You might be referring to the use of TCP timestamps as a way to possibly estimate uptime; as referenced by NMAP, see https://nmap.org/book/osdetect-usage.html for that discussion and the caveats to using this information in this manner. They call it uptime guess.
Also SNMP is known to provide uptime, see RFC1213-MIB for the sysUpTime OID. So to add to some of the other techniques described, if the target happens to be queried by a network manager via a non-encrypted SNMP polling routine, then this field might be observed in the packet trace and you could access it. Or, if you are able to make SNMP requests to the host you could generate the query yourself, if you had the community strings and/or password if using SNMPv3. I have found this field to be less than reliable across the whole platform of devices I run across - it might be fine on Windows, Cisco IOS, etc., but as soon as you move away into less mainstream devices and platforms, beware.