It seems to me that a fairly lightweight approach might be a per-connection event returning the factors of interest, since according to the p03 v3 README:
For TCP/IP, the tool fingerprints the client-originating SYN packet and the
first SYN+ACK response from the server, paying attention to factors such as the
ordering of TCP options, the relation between maximum segment size and window
size, the progression of TCP timestamps, and the state of about a dozen possible
implementation quirks (e.g. non-zero values in "must be zero" fields).
(from [http://lcamtuf.coredump.cx/p0f3/README](http://lcamtuf.coredump.cx/p0f3/README) - which also documents the actual factors that are observed).
As far as the SACK vulnerability, the last paragraph of the document indicates that the MSS is set to 48 to trigger the vulnerability, so reporting MSS might give a leg up on that, as well.