Start sending a valid encapsulated header with IP-in-IP with -sO. Hosts respond more when a valid header is sent. I kept getting open|filtered for this, and now I get open. It's a lot like my IGMP patch from r4361

CHANGELOG

@@ -31,9 +31,10 @@ o Fixed a bug which caused nmap --iflist to crash (and might have
 
 o Applied a bunch of code cleanup patches from Kris Katterjohn.
 
-o Changed the IP protocol scan so that it sends actual IGMP headers when
+o Changed the IP protocol scan so that it sends actual IGMP and IPIP
-  scanning protocol number 2.  This makes it much more likely that the host
+  (IP-in-IP encapsulation) headers when scanning protocol numbers 2
-  will respond, proving that it's "open".  [Kris]
+  and 4, respectively.  This makes it much more likely that the host
+  will respond, proving that they're "open".  [Kris]
 
 o Fixed UDP scan so that it doesn't find it's own port when scanning
   localhost.  This was thought to be fixed in 4.10.  This also prevents a

scan_engine.cc

@@ -2203,6 +2203,23 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
 			       &packetlen);
 
 	break;
+      case IPPROTO_IPIP:
+	/* This is our inner IP header, followed by data */
+	packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
+			      IPPROTO_TCP, /* fake it */
+			      o.ttl, ipid, IP_TOS_DEFAULT, false,
+			      o.ipoptions, o.ipoptionslen,
+			      o.extra_payload, o.extra_payload_length, 
+			      &packetlen);
+
+	/* This is our outer IP header, followed by the inner header above */
+	packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
+			      pspec->proto,
+			      o.ttl, ipid, IP_TOS_DEFAULT, false,
+			      o.ipoptions, o.ipoptionslen,
+			      (char *) packet, packetlen,
+			      &packetlen);
+	break;
       default:
 	packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
 			      pspec->proto,