Not visible on the preceding screenshot, but still a part of OS detection, Nmap tries to determine the approximate uptime of the remote system. Nmap receives several SYN/ACK TCP packets in a row and checks the headers for a timestamp option. Many operating systems use a simple counter starting with zero at boot time and counting during the uptime. By checking the responses, Nmap can determine these values and print these in the scan log.

The uptime guess is marked as a guess because there are several things that can make it very inaccurate. For instance, some operating systems do not start the counter at zero but initialize it with a random value instead.