We covered 4 papers interested in studying TCP implementations using
probing techniques.

1.  "Probing TCP Implementations"  Comer and Lin

Concerned with testing TCP in a very controlled environment to uncover some
general characteristics of its operation.  Basically, monitoring nodes
were set up on a network to watch traffic, and the machine under test
was set to the task of sending messages to another host which used
some coarse techniques to determine packet arrival times.  The experiments 
were very simple and straitforward.

A complaint of the paper was that it (incorrectly) states the 
assumption that TCP is a blackbox.


2.  "Nmap Remote OS Detection" Fyodor

Used probing techniques to identify information, most notably OS, of an 
unknown end host on the network.  It maintains a catalog of known behavior
signatures and matches the machine to one on those based on its response to 
a lot of weird network traffic.  I believe this paper was described as 
". . . a refreshing change from the standard class paper."

3.  "know your enemy:  Passive Fingerprinting" Honeynet Project

Describes using a combination of intrusion detection software (snort) and
probing techniques to determine who is studying your system.  The primary
goals of the work are to keep the recon secret and, so we surmised, be
be less threatening to the network at large than other alternatives
such as Nmap.

4. "On Infering TCP Behavior" Padhye and Floyd

Though the information probed for, namely acks, is very similar, this 
paper represents the other end of the spectrum from the Comer and Lin
paper as far as experimental design is concerned:  It runs in the wide
area Internet and has very little environmental control.  From the 
perspective of the probing techniques used, TBIT is less intrusive that 
Nmap but more aggressive than the Passive Fingerprinting project.