Thank you for explaining this, I had always wondered how a carrier could tell a device was tethered if a router was not passing on tethered device details.
Another way to do it is to look for requests to domains that phones never access but desktops/laptops often do. Windows Update is the most common, but you could probably do apt package repositories or whatever.
I have a friend that is also curious. Their fibre cable was cut by addicts trying to find a source of copper that took a few days to be repaired. Using their hot spot during the outage used up their allotted hot spot bandwidth for the month. My friend would be very interested in how to avoid potential down time in the future.
Might I suggest an email address added to your HN profile, lest a publicly posted reply result in observation by a nefarious telecom employee who just might obviate the proposed solution to your friend’s conundrum.
Network packets commonly have start with default TTL values of 64, 128, or 255. Each hop in the network subtracts 1.
When phone connects direct to carrier (cell tower, I assume) the carrier will see TTL of 64.
A laptop tethered to a phone introduces a hop so laptop-to-phone TTL is 64, phone-to-carrier TTL is 63.
Carriers can then limit bandwidth if network packet that don't have a common TTL.
For `iptables` look at `--ttl-inc 1` (to add back the 1 so 63 => 64) or `--ttl-set 64`.
Alternatively, you set the tethered devices to use a TTL of 65, e.g. linux/mac `sysctl -w net.inet.ip.ttl=65`