How easy would it be to tell that an Android phone was being used to tether an Android tablet?
I can see that the TTL value might be different but aside from that would it be significantly less apparent that the phone was being used for tethering a tablet than tethering a Windoze machine?
Android uses a TTL of 64 same as some versions of Linuix, FreeBSD and Solaris. This would be decremented to 63 as it went through the tethering device and NAT.
It could be detected as being behind NAT as the originating IP would be changed to the public IP of the NAT devices and so you have a packet claiming to be from the NAT address but with a TTL that clearly states its already been through a router. If the packet originated from the tethering phone the TTL would still be 64.
They couldn't tell from this that it was an Android tablet as a TTL of 64 is used by several OS. A sophisticated monitoring system though would then look at other things such as which sites were being checked (remember your tablet will check for updates and maybe send a packet to a specific site to check that it doesn't need to work with a captive portal like in hotels).
Basically if they really want to find out if your tethering they can. Do they really invest that much effort in checking for tethering ? I don't know you would have to find someone who works in the cellphone carrier industry to get a sensible answer as the Internet is full of paranoia about such things.