When FMC performs passive network discovery it is not interacting with end hosts, it is paying extra attention to syn and syn-ack packets and determining OS definitions based on known output from ip headers.
Can anyone point me in the direction to find more information on how the FMC is configured to carry out the discovery from ip packets passing through the managed device network points?
Yes the managed devices gathers the network discovery info as the traffic passed through it and send that info to FMC which in turn processes the data to show the data.
The user guide has detailed information about it.
Is there something specific you are looking for ?
Hope it helps.
I'm just wanting to be able to comprehend the operation so I can explain it to people. From what I gather its fairly standard open source type operation, nothing cisco tailored?
So understanding something like http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting is all thats needed?
Also I've had discovery running for about 2-3 weeks now and Windows 2012 R2 is not being discovered. Its being marked as Windows 7, Server 2008, 8. Do we not need to care that the exact version is detected?
From what I understand if a product does not change in operation in higher versions the system marks it as the lowest version. For example, i can't remember the finer details, but when seeing Windows Vista for a certain function it still applies to Windows 7/8/10, as the particular feature has not changed in the higher versions.