From 50830f7488b8aecd5d99b2908c99c19d5b6c6d91 Mon Sep 17 00:00:00 2001
From: daniel <daniel@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 3 Jun 2009 23:15:45 +0000
Subject: [PATCH] o Added initial SCTP port scanning support to Nmap.  SCTP is 
  a layer 4 protocol used mostly for telephony related applications.   This
 brings the following new features:   o SCTP INIT chunk port scan (-sY): open
 ports return an INIT-ACK     chunk, closed ones an ABORT chunk.  This is the
 SCTP equivalent     of a TCP SYN stealth scan.   o SCTP COOKIE-ECHO chunk
 port scan (-sZ): open ports are silent,     closed ports return an ABORT
 chunk.   o SCTP INIT chunk ping probes (-PY): host discovery using SCTP    
 INIT chunk packets.   o SCTP-specific IP protocol scan (-sO -p sctp).   o
 SCTP-specific traceroute support (--traceroute).   o The ability to use the
 deprecated Adler32 algorithm as specified     in RFC 2960 instead of CRC32C
 from RFC 4960 (--adler32).   o 42 well-known SCTP ports were added to the
 nmap-services file.   Part of the work on SCTP support was kindly sponsored
 by   Compass Security AG, Switzerland.  [Daniel Roethlisberger]

---
 CHANGELOG                                 |  18 +
 NmapOps.cc                                |  28 +-
 NmapOps.h                                 |   7 +
 docs/nmap.dtd                             |   4 +-
 docs/refguide.xml                         | 198 ++++++++--
 global_structures.h                       |  10 +-
 libdnet-stripped/NMAP_MODIFICATIONS       |   9 +-
 libdnet-stripped/include/dnet.h           |   1 +
 libdnet-stripped/include/dnet/Makefile.am |   2 +-
 libdnet-stripped/include/dnet/sctp.h      | 168 +++++++++
 libdnet-stripped/libdnet-stripped.vcproj  |   4 +
 libdnet-stripped/src/crc32ct.h            |  83 +++++
 libdnet-stripped/src/ip-util.c            |  31 ++
 nmap-services                             |  70 +++-
 nmap.cc                                   |  78 +++-
 nmap.h                                    |  13 +
 nse_main.cc                               |   3 +-
 nse_nmaplib.cc                            |   6 +-
 nse_nsock.cc                              |   5 +-
 output.cc                                 |  18 +-
 output.h                                  |   2 +-
 portlist.cc                               |  34 +-
 portlist.h                                |  20 +-
 portreasons.cc                            |   8 +-
 portreasons.h                             |   3 +-
 protocols.h                               |  12 +
 scan_engine.cc                            | 422 ++++++++++++++++++++--
 scan_engine.h                             |   7 +
 service_scan.cc                           |  11 +-
 services.cc                               |  36 +-
 services.h                                |   3 +-
 targets.cc                                |   2 +-
 targets.h                                 |   1 +
 tcpip.cc                                  |  77 ++++
 tcpip.h                                   |  14 +
 traceroute.cc                             |  77 +++-
 36 files changed, 1333 insertions(+), 152 deletions(-)
 create mode 100644 libdnet-stripped/include/dnet/sctp.h
 create mode 100644 libdnet-stripped/src/crc32ct.h

diff --git a/CHANGELOG b/CHANGELOG
index 8791d760b..da8be426c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,23 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Added initial SCTP port scanning support to Nmap.  SCTP is
+  a layer 4 protocol used mostly for telephony related applications.
+  This brings the following new features:
+  o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
+    chunk, closed ones an ABORT chunk.  This is the SCTP equivalent
+    of a TCP SYN stealth scan.
+  o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
+    closed ports return an ABORT chunk.
+  o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
+    INIT chunk packets.
+  o SCTP-specific IP protocol scan (-sO -p sctp).
+  o SCTP-specific traceroute support (--traceroute).
+  o The ability to use the deprecated Adler32 algorithm as specified
+    in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
+  o 42 well-known SCTP ports were added to the nmap-services file.
+  Part of the work on SCTP support was kindly sponsored by
+  Compass Security AG, Switzerland.  [Daniel Roethlisberger]
+
 o [Zenmap] The Topology tab now has a "Save Snapshot" button that allows
   saving the current topology display as PNG, PostScript, PDF, and SVG.
   [Joao Medeiros]
diff --git a/NmapOps.cc b/NmapOps.cc
index 8da7522a4..59bff557b 100644
--- a/NmapOps.cc
+++ b/NmapOps.cc
@@ -238,6 +238,7 @@ void NmapOps::Initialize() {
   max_host_group_sz = 100000; // don't want to be restrictive unless user sets
   max_tcp_scan_delay = MAX_TCP_SCAN_DELAY;
   max_udp_scan_delay = MAX_UDP_SCAN_DELAY;
+  max_sctp_scan_delay = MAX_SCTP_SCAN_DELAY;
   max_ips_to_scan = 0;
   extra_payload_length = 0;
   extra_payload = NULL;
@@ -258,6 +259,8 @@ void NmapOps::Initialize() {
   listscan = pingscan = allowall = ackscan = bouncescan = connectscan = 0;
   rpcscan = nullscan = xmasscan = fragscan = synscan = windowscan = 0;
   maimonscan = idlescan = finscan = udpscan = ipprotscan = noresolve = 0;
+  sctpinitscan = 0;
+  sctpcookieechoscan = 0;
   append_output = 0;
   memset(logfd, 0, sizeof(FILE *) * LOG_NUM_FILES);
   ttl = -1;
@@ -266,6 +269,7 @@ void NmapOps::Initialize() {
   gettimeofday(&start_time, NULL);
   pTrace = vTrace = false;
   reason = false;
+  adler32 = false;
   if (datadir) free(datadir);
   datadir = NULL;
   if (xsl_stylesheet) free(xsl_stylesheet);
@@ -305,6 +309,10 @@ void NmapOps::Initialize() {
   sourcesocklen = 0;
 }
 
+bool NmapOps::SCTPScan() {
+  return sctpinitscan|sctpcookieechoscan;
+}
+
 bool NmapOps::TCPScan() {
   return ackscan|bouncescan|connectscan|finscan|idlescan|maimonscan|nullscan|synscan|windowscan|xmasscan;
 }
@@ -318,9 +326,9 @@ bool NmapOps::UDPScan() {
      IPv6 is being used.  It will return false in those cases where a
      RawScan is not neccessarily used. */
 bool NmapOps::RawScan() {
-  if (ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|osscan|synscan|udpscan|windowscan|xmasscan)
+  if (ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|osscan|synscan|udpscan|windowscan|xmasscan|sctpinitscan|sctpcookieechoscan)
     return true;
-  if (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS|PINGTYPE_TCP_USE_ACK|PINGTYPE_UDP))
+  if (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS|PINGTYPE_TCP_USE_ACK|PINGTYPE_UDP|PINGTYPE_SCTP_INIT))
     return true;
 
    return false; 
@@ -336,11 +344,11 @@ void NmapOps::ValidateOptions() {
 
 
   /* Insure that at least one scantype is selected */
-  if (TCPScan() + UDPScan() + ipprotscan + listscan + pingscan == 0) {
+  if (TCPScan() + UDPScan() + SCTPScan() + ipprotscan + listscan + pingscan == 0) {
     if (isr00t && af() == AF_INET)
       synscan++;
     else connectscan++;
-    //    if (verbose) error("No tcp, udp, or ICMP scantype specified, assuming %s scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).", synscan? "SYN Stealth" : "vanilla tcp connect()");
+    //    if (verbose) error("No TCP, UDP, SCTP or ICMP scantype specified, assuming %s scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).", synscan? "SYN Stealth" : "vanilla tcp connect()");
   }
 
   if (pingtype != PINGTYPE_NONE && spoofsource) {
@@ -364,11 +372,15 @@ void NmapOps::ValidateOptions() {
    fatal("Sorry, UDP Ping (-PU) only works if you are root (because we need to read raw responses off the wire) and only for IPv4 (cause fyodor is too lazy right now to add IPv6 support and nobody has sent a patch)");
  }
 
+ if ((pingtype & PINGTYPE_SCTP_INIT) && (!isr00t || af() != AF_INET)) {
+   fatal("Sorry, SCTP INIT Ping (-PY) only works if you are root (because we need to read raw responses off the wire) and only for IPv4 (cause fyodor is too lazy right now to add IPv6 support and nobody has sent a patch)");
+  }
+
  if ((pingtype & PINGTYPE_PROTO) && (!isr00t || af() != AF_INET)) {
    fatal("Sorry, IPProto Ping (-PO) only works if you are root (because we need to read raw responses off the wire) and only for IPv4");
  }
 
- if (ipprotscan + (TCPScan() || UDPScan()) + listscan + pingscan > 1) {
+ if (ipprotscan + (TCPScan() || UDPScan() || SCTPScan()) + listscan + pingscan > 1) {
    fatal("Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types.");
  }
 
@@ -376,7 +388,7 @@ void NmapOps::ValidateOptions() {
     fatal("-PN (skip ping) is incompatable with -sP (ping scan).  If you only want to enumerate hosts, try list scan (-sL)");
   }
 
- if (pingscan && (TCPScan() || UDPScan() || ipprotscan || listscan)) {
+ if (pingscan && (TCPScan() || UDPScan() || SCTPScan() || ipprotscan || listscan)) {
    fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan");
  }
 
@@ -394,7 +406,7 @@ void NmapOps::ValidateOptions() {
 /* We start with stuff users should not do if they are not root */
   if (!isr00t) {
     
-    if (ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|synscan|udpscan|windowscan|xmasscan) {
+    if (ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|synscan|udpscan|windowscan|xmasscan|sctpinitscan|sctpcookieechoscan) {
       fatal("You requested a scan type which requires %s.", privreq);
     }
     
@@ -477,7 +489,7 @@ void NmapOps::ValidateOptions() {
     fatal("--min-rate=%g must be less than or equal to --max-rate=%g", min_packet_send_rate, max_packet_send_rate);
   }
   
-  if (af() == AF_INET6 && (generate_random_ips|numdecoys|osscan|bouncescan|fragscan|ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|synscan|udpscan|windowscan|xmasscan)) {
+  if (af() == AF_INET6 && (generate_random_ips|numdecoys|osscan|bouncescan|fragscan|ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|synscan|udpscan|windowscan|xmasscan|sctpinitscan|sctpcookieechoscan)) {
     fatal("Sorry -- IPv6 support is currently only available for connect() scan (-sT), ping scan (-sP), and list scan (-sL).  OS detection, random targets and decoys are also not supported with IPv6.  Further support is under consideration.");
   }
 
diff --git a/NmapOps.h b/NmapOps.h
index 9e338017c..db7170ebe 100644
--- a/NmapOps.h
+++ b/NmapOps.h
@@ -123,6 +123,7 @@ class NmapOps {
 
   bool TCPScan(); /* Returns true if at least one chosen scan type is TCP */
   bool UDPScan(); /* Returns true if at least one chosen scan type is UDP */
+  bool SCTPScan(); /* Returns true if at least one chosen scan type is SCTP */
 
   /* Returns true if at least one chosen scan type uses raw packets.
      It does not currently cover cases such as TCP SYN ping scan which
@@ -222,8 +223,10 @@ class NmapOps {
   void setMaxHostGroupSz(unsigned int sz);
   unsigned int maxTCPScanDelay() { return max_tcp_scan_delay; }
   unsigned int maxUDPScanDelay() { return max_udp_scan_delay; }
+  unsigned int maxSCTPScanDelay() { return max_sctp_scan_delay; }
   void setMaxTCPScanDelay(unsigned int delayMS) { max_tcp_scan_delay = delayMS; }
   void setMaxUDPScanDelay(unsigned int delayMS) { max_udp_scan_delay = delayMS; }
+  void setMaxSCTPScanDelay(unsigned int delayMS) { max_sctp_scan_delay = delayMS; }
 
   /* Sets the Name of the XML stylesheet to be printed in XML output.
      If this is never called, a default stylesheet distributed with
@@ -291,6 +294,8 @@ class NmapOps {
   int rpcscan;
   int synscan;
   int udpscan;
+  int sctpinitscan;
+  int sctpcookieechoscan;
   int windowscan;
   int xmasscan;
   int noresolve;
@@ -314,6 +319,7 @@ class NmapOps {
   bool log_errors;
   bool traceroute;
   bool reason;
+  bool adler32;
 
 #ifndef NOLUA
   int script;
@@ -347,6 +353,7 @@ class NmapOps {
   int max_retransmissions;
   unsigned int max_tcp_scan_delay;
   unsigned int max_udp_scan_delay;
+  unsigned int max_sctp_scan_delay;
   unsigned int min_host_group_sz;
   unsigned int max_host_group_sz;
   void Initialize();
diff --git a/docs/nmap.dtd b/docs/nmap.dtd
index 3a475f0d3..5c97bd9a8 100644
--- a/docs/nmap.dtd
+++ b/docs/nmap.dtd
@@ -58,11 +58,11 @@
 <!ENTITY % hostname_types "(PTR)" >
 
 <!-- see output.c:output_xml_scaninfo_records for scan types -->
-<!ENTITY % scan_types "(syn|ack|bounce|connect|null|xmas|window|maimon|fin|udp|ipproto)" >
+<!ENTITY % scan_types "(syn|ack|bounce|connect|null|xmas|window|maimon|fin|udp|sctpinit|sctpcookieecho|ipproto)" >
 
 <!-- <!ENTITY % ip_versions "(ipv4)" > -->
 
-<!ENTITY % port_protocols "(ip|tcp|udp)" >
+<!ENTITY % port_protocols "(ip|tcp|udp|sctp)" >
 
 <!-- I don't know exactly what these are, but the values were enumerated via:
      grep "conf=" *
diff --git a/docs/refguide.xml b/docs/refguide.xml
index 0637de47e..0c02ffc35 100644
--- a/docs/refguide.xml
+++ b/docs/refguide.xml
@@ -322,12 +322,12 @@ you would expect.</para>
     ubiquitous <application>ping</application> tool. Users can skip
     the ping step entirely with a list scan (<option>-sL</option>) or
     by disabling ping (<option>-PN</option>), or engage the network
-    with arbitrary combinations of multi-port TCP SYN/ACK, UDP, and
-    ICMP probes. The goal of these probes is to solicit responses
-    which demonstrate that an IP address is actually active (is being
-    used by a host or network device). On many networks, only a small
-    percentage of IP addresses are active at any given time. This is
-    particularly common with private address space
+    with arbitrary combinations of multi-port TCP SYN/ACK, UDP, SCTP
+    INIT and ICMP probes. The goal of these probes is to solicit
+    responses which demonstrate that an IP address is actually active
+    (is being used by a host or network device). On many networks,
+    only a small percentage of IP addresses are active at any given
+    time. This is particularly common with private address space
     such as 10.0.0.0/8. That network has 16 million IPs, but I have
     seen it used by companies with less than a thousand machines. Host
     discovery can find those machines in a sparsely allocated sea of
@@ -642,6 +642,63 @@ you would expect.</para>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+        <option>-PY <replaceable>port list</replaceable></option> (SCTP INIT Ping)
+          <indexterm><primary><option>-PY</option></primary></indexterm>
+          <indexterm><primary>SCTP INIT ping</primary></indexterm>
+        </term>
+        <listitem>
+
+          <para>This option sends an SCTP packet containing a minimal
+          INIT chunk.  The default destination port is 80 (configurable
+          at compile time by changing
+          <varname>DEFAULT_SCTP_PROBE_PORT_SPEC</varname>
+          <indexterm><primary><varname>DEFAULT_SCTP_PROBE_PORT_SPEC</varname></primary></indexterm>
+          in <filename>nmap.h</filename>).
+          <indexterm><primary><filename>nmap.h</filename></primary></indexterm>
+          Alternate ports can be specified as a parameter. The syntax
+          is the same as for the
+          <option>-p</option> except that port type specifiers like
+          <literal>S:</literal> are not allowed. Examples are
+          <option>-PY22</option> and
+          <option>-PY22,80,179,5060</option>. Note that there
+          can be no space between <option>-PY</option> and the port
+          list. If multiple probes are specified they will be sent in
+          parallel.</para>
+
+          <para>The INIT chunk suggests to the remote system that you
+          are attempting to establish an association.  Normally the
+          destination port will be closed, and an ABORT chunk will be
+          sent back.  If the port happens to be open, the target will
+          take the second step of an SCTP
+          four-way-handshake<indexterm><primary>four-way handshake</primary></indexterm>
+          by responding with an INIT-ACK chunk. If the machine running
+          Nmap has a functional SCTP stack, then it tears down the
+          nascent association by responding with an ABORT chunk rather
+          than sending a COOKIE-ECHO chunk which would be the next step
+          in the four-way-handshake.  The ABORT packet is sent by the
+          kernel of the machine running Nmap in response to the
+          unexpected INIT-ACK, not by Nmap itself.</para>
+
+          <para>Nmap does not care whether the port is open or closed.
+          Either the ABORT or INIT-ACK response discussed previously tell
+          Nmap that the host is available and responsive.</para>
+
+          <para>On Unix boxes, only the privileged user
+          <literal>root</literal><indexterm><primary>privileged users</primary></indexterm>
+          is generally able to send and receive raw SCTP
+          packets.<indexterm><primary>raw packets</primary></indexterm>
+          Using SCTP INIT Pings is currently not possible for unprivileged
+          users.<indexterm><primary>unprivileged users</primary><secondary>limitations of</secondary></indexterm>
+          The same limitation applies to IPv6, which is currently not
+          supported for
+          SCTP INIT Ping.<indexterm><primary>IPv6</primary><secondary>limitations of</secondary></indexterm>
+          </para>
+
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>
         <option>-PE</option>;
@@ -654,9 +711,9 @@ you would expect.</para>
         </term>
         <listitem>
 
-          <para>In addition to the unusual TCP and UDP host discovery
-          types discussed previously, Nmap can send the standard
-          packets sent by the ubiquitous
+          <para>In addition to the unusual TCP, UDP and SCTP host
+          discovery types discussed previously, Nmap can send the
+          standard packets sent by the ubiquitous
           <application>ping</application> program.  Nmap sends an ICMP
           type 8 (echo request) packet to the target IP addresses,
           expecting a type 0 (echo reply) in return from available
@@ -709,17 +766,17 @@ you would expect.</para>
           which sends IP packets with the specified protocol number
           set in their IP header.  The protocol list
           takes the same format as do port lists in the
-          previously discussed TCP and UDP host discovery options.  If
-          no protocols are specified, the default is to send multiple
+          previously discussed TCP, UDP and SCTP host discovery options.
+          If no protocols are specified, the default is to send multiple
           IP packets for ICMP (protocol 1), IGMP (protocol 2), and
           IP-in-IP (protocol 4).  The default protocols can be
           configured at compile-time by changing
           <varname>DEFAULT_PROTO_PROBE_PORT_SPEC</varname><indexterm><primary><varname>DEFAULT_PROTO_PROBE_PORT_SPEC</varname></primary></indexterm>
           in <filename>nmap.h</filename>.
-          Note that for the ICMP, IGMP, TCP (protocol 6), and UDP
-          (protocol 17), the packets are sent with the proper protocol
-          headers while other protocols are sent with no additional data
-          beyond the IP header (unless the
+          Note that for the ICMP, IGMP, TCP (protocol 6), UDP
+          (protocol 17) and SCTP (protocol 132), the packets are sent
+          with the proper protocol headers while other protocols are
+          sent with no additional data beyond the IP header (unless the
           <option>--data-length</option> option is specified).</para>
 
           <para>This host discovery method looks for either responses
@@ -899,11 +956,12 @@ options from across the Internet might show that port as <literal>filtered</lite
   <indexterm><primary><literal>open</literal> port state</primary></indexterm>
   open</term>
   <listitem><para>An application is actively accepting TCP
-  connections or UDP packets on this port.  Finding these is often the
-  primary goal of port scanning.  Security-minded people know that
-  each open port is an avenue for attack.  Attackers and pen-testers
-  want to exploit the open ports, while administrators try to close or
-  protect them with firewalls without thwarting legitimate users.
+  connections, UDP datagrams or SCTP associations on this port.
+  Finding these is often the primary goal of port scanning.
+  Security-minded people know that each open port is an avenue for attack.
+  Attackers and pen-testers want to exploit the open ports, while
+  administrators try to close or protect them with firewalls without
+  thwarting legitimate users.
   Open ports are also interesting for non-security scans because they show
   services available for use on the network.
   </para></listitem></varlistentry>
@@ -1019,8 +1077,10 @@ discussed in the individual scan type entries.</para>
 
 <para>This section documents the dozen or so port scan
 techniques supported by Nmap.  Only one method may be used at a time,
-except that UDP scan (<option>-sU</option>) may be combined with any
-one of the TCP scan types.  As a memory aid, port scan type options
+except that UDP scan (<option>-sU</option>) and any one of the
+SCTP scan types (<option>-sY</option>, <option>-sZ</option>)
+may be combined with any one of the TCP scan types.
+As a memory aid, port scan type options
 are of the form <option>-s<replaceable>C</replaceable></option>, where
 <replaceable>C</replaceable> is a prominent character in the scan
 name, usually the first.  The one exception to this is the deprecated
@@ -1160,6 +1220,44 @@ hosts.</para>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+        <option>-sY</option> (SCTP INIT scan)
+<indexterm><primary><option>-sY</option></primary></indexterm>
+<indexterm><primary>SCTP INIT scan</primary></indexterm>
+</term>
+        <listitem>
+
+<para>
+  <ulink role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc4960.txt">SCTP</ulink>
+is a relatively new alternative to the TCP and UDP protocols,
+combining most characteristics of TCP and UDP, and also adding
+new features like multi-homing and multi-streaming.  It is mostly
+being used for SS7/SIGTRAN related services but has the potential
+to be used for other applications as well.
+
+SCTP INIT scan is the SCTP equivalent of a TCP SYN scan.
+It can be performed quickly, scanning thousands of ports per
+second on a fast network not hampered by restrictive firewalls.
+Like SYN scan, INIT scan is relatively unobtrusive and stealthy,
+since it never completes SCTP associations.  It also allows clear,
+reliable differentiation between the <literal>open</literal>,
+<literal>closed</literal>, and <literal>filtered</literal>
+states.</para>
+
+<para>This technique is often referred to as half-open scanning,
+because you don't open a full SCTP association. You send an INIT
+chunk, as if you are going to open a real association and then wait
+for a response. An INIT-ACK chunk indicates the port is listening
+(open), while an ABORT chunk is indicative of a non-listener. If no
+response is received after several retransmissions, the port is
+marked as filtered.  The port is also marked filtered if an ICMP
+unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is
+received.</para>
+
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>
         <option>-sN</option>; <option>-sF</option>; <option>-sX</option> (TCP NULL, FIN, and Xmas scans)
@@ -1349,6 +1447,35 @@ used.</para>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+        <option>-sZ</option> (SCTP COOKIE ECHO scan)
+<indexterm><primary><option>-sZ</option></primary></indexterm>
+<indexterm><primary>SCTP COOKIE ECHO scan</primary></indexterm>
+</term>
+        <listitem>
+
+<para>
+SCTP COOKIE ECHO scan is a more advanced SCTP scan.  It takes
+advantage of the fact that SCTP implementations should silently
+drop packets containing COOKIE ECHO chunks on open ports, but
+send an ABORT if the port is closed.
+
+The advantage of this scan type is that it is not as obvious a
+port scan than an INIT scan.  Also, there may be non-stateful
+firewall rulesets blocking INIT chunks, but not COOKIE ECHO
+chunks.  Don't be fooled into thinking that this will make a
+port scan invisible; a good IDS will be able to detect SCTP
+COOKIE ECHO scans too.
+
+The downside is that SCTP COOKIE ECHO scans cannot differentiate
+between <literal>open</literal> and <literal>filtered</literal>
+ports, leaving you with the state <literal>open|filtered</literal>
+in both cases.</para>
+
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>
         <option>-sI <replaceable>zombie host</replaceable><optional>:<replaceable>probeport</replaceable></optional></option> (idle scan)
@@ -3148,7 +3275,7 @@ support the option completely, as does UDP scan.</para>
         <listitem>
 
 
-          <para>Asks Nmap to use an invalid TCP or UDP checksum for
+          <para>Asks Nmap to use an invalid TCP, UDP or SCTP checksum for
   packets sent to target hosts.  Since virtually all
   host IP stacks properly drop these packets, any responses received
   are likely coming from a firewall or IDS that didn't bother to
@@ -3157,6 +3284,31 @@ support the option completely, as does UDP scan.</para>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          <option>--adler32</option> (Use deprecated Adler32 instead of CRC32C for SCTP checksums)
+        <indexterm><primary><option>--adler32</option></primary></indexterm>
+        <indexterm><primary>CRC32C checksum</primary></indexterm>
+        <indexterm><primary>Adler32 checksum</primary></indexterm>
+        <indexterm><primary>SCTP checksum</primary></indexterm>
+        <indexterm><primary>checksums</primary></indexterm>
+        </term>
+        <listitem>
+
+
+          <para>Asks Nmap to use the deprecated Adler32 algorithm
+  for calculating the SCTP checksum.  If <option>--adler32</option>
+  is not given, CRC-32C (Castagnoli) is used.
+  <ulink role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc2960.txt">RFC 2960</ulink>
+  originally defined Adler32 as checksum algorithm for SCTP;
+  <ulink role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc4960.txt">RFC 4960</ulink>
+  later redefined the SCTP checksums to use CRC-32C.  Current SCTP
+  implementations should be using CRC-32C, but in order to elicit
+  responses from old, legacy SCTP implementations, it may be
+  preferrable to use Adler32.</para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
 
     <indexterm class="endofrange" startref="man-bypass-ids-indexterm"/>
diff --git a/global_structures.h b/global_structures.h
index 87277703b..3e81097f1 100644
--- a/global_structures.h
+++ b/global_structures.h
@@ -97,9 +97,9 @@
 class TargetGroup;
 class Target;
 
-/* Stores "port info" which is TCP/UDP ports or RPC program ids */
+/* Stores "port info" which is TCP/UDP/SCTP ports or RPC program ids */
 struct portinfo {
-   unsigned long portno; /* TCP/UDP port or RPC program id or IP protocool */
+   unsigned long portno; /* TCP/UDP/SCTP port or RPC program id or IP protocool */
    short trynum;
    int sd[3]; /* Socket descriptors for connect_scan */
    struct timeval sent[3]; 
@@ -218,10 +218,12 @@ struct scan_lists {
 	unsigned short *syn_ping_ports;
 	unsigned short *ack_ping_ports;
 	unsigned short *udp_ping_ports;
+	unsigned short *sctp_ping_ports;
 	unsigned short *proto_ping_ports;
 	int syn_ping_count;
 	int ack_ping_count;
 	int udp_ping_count;
+	int sctp_ping_count;
 	int proto_ping_count;
 	//the above fields are only used for host discovery
 	//the fields below are only used for port scanning
@@ -229,10 +231,12 @@ struct scan_lists {
 	int tcp_count;
 	unsigned short *udp_ports;
 	int udp_count;
+	unsigned short *sctp_ports;
+	int sctp_count;
 	unsigned short *prots;
 	int prot_count;
 };
 
-typedef enum { STYPE_UNKNOWN, HOST_DISCOVERY, ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, RPC_SCAN, MAIMON_SCAN, IPPROT_SCAN, PING_SCAN, PING_SCAN_ARP, IDLE_SCAN, BOUNCE_SCAN, SERVICE_SCAN, OS_SCAN, SCRIPT_SCAN, TRACEROUTE, REF_TRACEROUTE}stype;
+typedef enum { STYPE_UNKNOWN, HOST_DISCOVERY, ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, SCTP_INIT_SCAN, SCTP_COOKIE_ECHO_SCAN, RPC_SCAN, MAIMON_SCAN, IPPROT_SCAN, PING_SCAN, PING_SCAN_ARP, IDLE_SCAN, BOUNCE_SCAN, SERVICE_SCAN, OS_SCAN, SCRIPT_SCAN, TRACEROUTE, REF_TRACEROUTE}stype;
 
 #endif /*GLOBAL_STRUCTURES_H */
diff --git a/libdnet-stripped/NMAP_MODIFICATIONS b/libdnet-stripped/NMAP_MODIFICATIONS
index 18d03f28e..5c63177a7 100644
--- a/libdnet-stripped/NMAP_MODIFICATIONS
+++ b/libdnet-stripped/NMAP_MODIFICATIONS
@@ -445,9 +445,12 @@ Index: libdnet-stripped/src/intf-win32.c
  		} else
  			return (-1);
 
-Added eth_get_pcap_devname() that matches up a dnet name to its pcap
-equivalent by matching hardwar addresses.  It's similar to the code
-used in eth_open()
+o Added eth_get_pcap_devname() that matches up a dnet name to its pcap
+  equivalent by matching hardwar addresses.  It's similar to the code
+  used in eth_open()
+
+o Added SCTP support.  Not including patches since the SCTP changes
+  will be included in the next libdnet release. [Daniel Roethlisberger]
 
 o Handle the case of sa_len == 0 (meaning 0.0.0.0) in addr_stob.
 Index: src/addr.c
diff --git a/libdnet-stripped/include/dnet.h b/libdnet-stripped/include/dnet.h
index e053c2493..0af5763eb 100644
--- a/libdnet-stripped/include/dnet.h
+++ b/libdnet-stripped/include/dnet.h
@@ -19,6 +19,7 @@
 #include <dnet/icmp.h>
 #include <dnet/tcp.h>
 #include <dnet/udp.h>
+#include <dnet/sctp.h>
 
 #include <dnet/intf.h>
 #include <dnet/route.h>
diff --git a/libdnet-stripped/include/dnet/Makefile.am b/libdnet-stripped/include/dnet/Makefile.am
index 737a8a013..3ff1070f9 100644
--- a/libdnet-stripped/include/dnet/Makefile.am
+++ b/libdnet-stripped/include/dnet/Makefile.am
@@ -5,4 +5,4 @@ include $(top_srcdir)/Makefile.am.common
 dnetincludedir = $(includedir)/dnet
 
 dnetinclude_HEADERS = addr.h arp.h blob.h eth.h fw.h icmp.h intf.h ip.h \
-	ip6.h os.h rand.h route.h tcp.h tun.h udp.h
+	ip6.h os.h rand.h route.h tcp.h tun.h udp.h sctp.h
diff --git a/libdnet-stripped/include/dnet/sctp.h b/libdnet-stripped/include/dnet/sctp.h
new file mode 100644
index 000000000..1eba0dae1
--- /dev/null
+++ b/libdnet-stripped/include/dnet/sctp.h
@@ -0,0 +1,168 @@
+/*
+ * sctp.h
+ *
+ * Stream Control Transmission Protocol (RFC 4960).
+ *
+ * Copyright (c) 2008-2009 Daniel Roethlisberger <daniel@roe.ch>
+ *
+ * $Id$
+ */
+
+#ifndef DNET_SCTP_H
+#define DNET_SCTP_H
+
+#define SCTP_HDR_LEN	12
+
+struct sctp_hdr {
+	uint16_t	sh_sport;	/* source port */
+	uint16_t	sh_dport;	/* destination port */
+	uint32_t	sh_vtag;	/* sctp verification tag */
+	uint32_t	sh_sum;		/* sctp checksum */
+};
+
+#define SCTP_PORT_MAX	65535
+
+#define sctp_pack_hdr(hdr, sport, dport, vtag) do {			\
+	struct sctp_hdr *sctp_pack_p = (struct sctp_hdr *)(hdr);	\
+	sctp_pack_p->sh_sport = htons(sport);				\
+	sctp_pack_p->sh_dport = htons(dport);				\
+	sctp_pack_p->sh_vtag = htonl(vtag);				\
+} while (0)
+
+struct sctp_chunkhdr {
+	uint8_t		sch_type;	/* chunk type */
+	uint8_t		sch_flags;	/* chunk flags */
+	uint16_t	sch_length;	/* chunk length */
+};
+
+/* chunk types */
+#define SCTP_DATA		0x00
+#define SCTP_INIT		0x01
+#define SCTP_INIT_ACK		0x02
+#define SCTP_SACK		0x03
+#define SCTP_HEARTBEAT		0x04
+#define SCTP_HEARTBEAT_ACK	0x05
+#define SCTP_ABORT		0x06
+#define SCTP_SHUTDOWN		0x07
+#define SCTP_SHUTDOWN_ACK	0x08
+#define SCTP_ERROR		0x09
+#define SCTP_COOKIE_ECHO	0x0a
+#define SCTP_COOKIE_ACK		0x0b
+#define SCTP_ECNE		0x0c
+#define SCTP_CWR		0x0d
+#define SCTP_SHUTDOWN_COMPLETE	0x0e
+#define SCTP_AUTH		0x0f	/* RFC 4895 */
+#define SCTP_ASCONF_ACK		0x80	/* RFC 5061 */
+#define SCTP_PKTDROP		0x81	/* draft-stewart-sctp-pktdrprep-08 */
+#define SCTP_PAD		0x84	/* RFC 4820 */
+#define SCTP_FORWARD_TSN	0xc0	/* RFC 3758 */
+#define SCTP_ASCONF		0xc1	/* RFC 5061 */
+
+/* chunk types bitmask flags */
+#define SCTP_TYPEFLAG_REPORT	1
+#define SCTP_TYPEFLAG_SKIP	2
+
+#define sctp_pack_chunkhdr(hdr, type, flags, length) do {		\
+	struct sctp_chunkhdr *sctp_pack_chp = (struct sctp_chunkhdr *)(hdr);\
+	sctp_pack_chp->sch_type = type;					\
+	sctp_pack_chp->sch_flags = flags;				\
+	sctp_pack_chp->sch_length = htons(length);			\
+} while (0)
+
+/*
+ * INIT chunk
+ */
+struct sctp_chunkhdr_init {
+	struct sctp_chunkhdr chunkhdr;
+
+	uint32_t	schi_itag;	/* Initiate Tag */
+	uint32_t	schi_arwnd;	/* Advertised Receiver Window Credit */
+	uint16_t	schi_nos;	/* Number of Outbound Streams */
+	uint16_t	schi_nis;	/* Number of Inbound Streams */
+	uint32_t	schi_itsn;	/* Initial TSN */
+};
+
+#define sctp_pack_chunkhdr_init(hdr, type, flags, length, itag,		\
+				arwnd, nos, nis, itsn) do {		\
+	struct sctp_chunkhdr_init *sctp_pack_chip =			\
+			(struct sctp_chunkhdr_init *)(hdr);		\
+	sctp_pack_chunkhdr(sctp_pack_chip, type, flags, length);	\
+	sctp_pack_chip->schi_itag = htonl(itag);			\
+	sctp_pack_chip->schi_arwnd = htonl(arwnd);			\
+	sctp_pack_chip->schi_nos = htons(nos);				\
+	sctp_pack_chip->schi_nis = htons(nis);				\
+	sctp_pack_chip->schi_itsn = htonl(itsn);			\
+} while (0)
+
+/*
+ * INIT ACK chunk
+ */
+struct sctp_chunkhdr_init_ack {
+	struct sctp_chunkhdr chunkhdr;
+
+	uint32_t	schia_itag;	/* Initiate Tag */
+	uint32_t	schia_arwnd;	/* Advertised Receiver Window Credit */
+	uint16_t	schia_nos;	/* Number of Outbound Streams */
+	uint16_t	schia_nis;	/* Number of Inbound Streams */
+	uint32_t	schia_itsn;	/* Initial TSN */
+};
+
+#define sctp_pack_chunkhdr_init_ack(hdr, type, flags, length, itag,	\
+				arwnd, nos, nis, itsn) do {		\
+	struct sctp_chunkhdr_init_ack *sctp_pack_chip =			\
+			(struct sctp_chunkhdr_init_ack *)(hdr);		\
+	sctp_pack_chunkhdr(sctp_pack_chip, type, flags, length);	\
+	sctp_pack_chip->schia_itag = htonl(itag);			\
+	sctp_pack_chip->schia_arwnd = htonl(arwnd);			\
+	sctp_pack_chip->schia_nos = htons(nos);				\
+	sctp_pack_chip->schia_nis = htons(nis);				\
+	sctp_pack_chip->schia_itsn = htonl(itsn);			\
+} while (0)
+
+/*
+ * ABORT chunk
+ */
+struct sctp_chunkhdr_abort {
+	struct sctp_chunkhdr chunkhdr;
+
+	/* empty */
+};
+
+#define sctp_pack_chunkhdr_abort(hdr, type, flags, length) do {		\
+	struct sctp_chunkhdr_abort *sctp_pack_chip =			\
+			(struct sctp_chunkhdr_abort *)(hdr);		\
+	sctp_pack_chunkhdr(sctp_pack_chip, type, flags, length);	\
+} while (0)
+
+/*
+ * SHUTDOWN ACK chunk
+ */
+struct sctp_chunkhdr_shutdown_ack {
+	struct sctp_chunkhdr chunkhdr;
+
+	/* empty */
+};
+
+#define sctp_pack_chunkhdr_shutdown_ack(hdr, type, flags, length) do {	\
+	struct sctp_chunkhdr_shutdown_ack *sctp_pack_chip =		\
+			(struct sctp_chunkhdr_shutdown_ack *)(hdr);	\
+	sctp_pack_chunkhdr(sctp_pack_chip, type, flags, length);	\
+} while (0)
+
+/*
+ * COOKIE ECHO chunk
+ */
+struct sctp_chunkhdr_cookie_echo {
+	struct sctp_chunkhdr chunkhdr;
+
+	/* empty */
+};
+
+#define sctp_pack_chunkhdr_cookie_echo(hdr, type, flags, length) do {	\
+	struct sctp_chunkhdr_cookie_echo *sctp_pack_chip =		\
+			(struct sctp_chunkhdr_cookie_echo *)(hdr);	\
+	sctp_pack_chunkhdr(sctp_pack_chip, type, flags, length);	\
+} while (0)
+
+#endif /* DNET_SCTP_H */
+
diff --git a/libdnet-stripped/libdnet-stripped.vcproj b/libdnet-stripped/libdnet-stripped.vcproj
index 0198779d8..52df1f2cb 100755
--- a/libdnet-stripped/libdnet-stripped.vcproj
+++ b/libdnet-stripped/libdnet-stripped.vcproj
@@ -270,6 +270,10 @@
 				RelativePath=".\include\dnet\udp.h"
 				>
 			</File>
+			<File
+				RelativePath=".\include\dnet\sctp.h"
+				>
+			</File>
 		</Filter>
 		<Filter
 			Name="Resource Files"
diff --git a/libdnet-stripped/src/crc32ct.h b/libdnet-stripped/src/crc32ct.h
new file mode 100644
index 000000000..8c3ac929b
--- /dev/null
+++ b/libdnet-stripped/src/crc32ct.h
@@ -0,0 +1,83 @@
+/*
+ * crc32ct.h
+ *
+ * Public domain.
+ *
+ * $Id$
+ */
+
+#ifndef CRC32CT_H
+#define CRC32CT_H
+
+#define CRC32C_POLY 0x1EDC6F41
+#define CRC32C(c,d) (c=(c>>8)^crc_c[(c^(d))&0xFF])
+
+static unsigned long crc_c[256] = {
+0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L,
+0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL,
+0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL,
+0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L,
+0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL,
+0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L,
+0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L,
+0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL,
+0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL,
+0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L,
+0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L,
+0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL,
+0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L,
+0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL,
+0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL,
+0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L,
+0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L,
+0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L,
+0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L,
+0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L,
+0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L,
+0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L,
+0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L,
+0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L,
+0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L,
+0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L,
+0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L,
+0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L,
+0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L,
+0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L,
+0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L,
+0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L,
+0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL,
+0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L,
+0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L,
+0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL,
+0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L,
+0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL,
+0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL,
+0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L,
+0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L,
+0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL,
+0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL,
+0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L,
+0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL,
+0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L,
+0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L,
+0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL,
+0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L,
+0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL,
+0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL,
+0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L,
+0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL,
+0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L,
+0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L,
+0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL,
+0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL,
+0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L,
+0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L,
+0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL,
+0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L,
+0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL,
+0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL,
+0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L,
+};
+
+#endif /* CRC32CT_H */
+
diff --git a/libdnet-stripped/src/ip-util.c b/libdnet-stripped/src/ip-util.c
index 86a21831f..280f0ee0c 100644
--- a/libdnet-stripped/src/ip-util.c
+++ b/libdnet-stripped/src/ip-util.c
@@ -17,6 +17,30 @@
 #include <string.h>
 
 #include "dnet.h"
+#include "crc32ct.h"
+
+/* CRC-32C (Castagnoli). Public domain. */
+static unsigned long
+_crc32c(unsigned char *buf, int len)
+{
+	int i;
+	unsigned long crc32 = ~0L;
+	unsigned long result;
+	unsigned char byte0, byte1, byte2, byte3;
+
+	for (i = 0; i < len; i++) {
+		CRC32C(crc32, buf[i]);
+	}
+
+	result = ~crc32;
+
+	byte0 =  result        & 0xff;
+	byte1 = (result >>  8) & 0xff;
+	byte2 = (result >> 16) & 0xff;
+	byte3 = (result >> 24) & 0xff;
+	crc32 = ((byte0 << 24) | (byte1 << 16) | (byte2 <<  8) | byte3);
+	return crc32;
+}
 
 ssize_t
 ip_add_option(void *buf, size_t len, int proto,
@@ -123,6 +147,13 @@ ip_checksum(void *buf, size_t len)
 			if (!udp->uh_sum)
 				udp->uh_sum = 0xffff;	/* RFC 768 */
 		}
+	} else if (ip->ip_p == IP_PROTO_SCTP) {
+		struct sctp_hdr *sctp = (struct sctp_hdr *)((u_char *)ip + hl);
+
+		if (len >= SCTP_HDR_LEN) {
+			sctp->sh_sum = 0;
+			sctp->sh_sum = htonl(_crc32c((u_char *)sctp, len));
+		}
 	} else if (ip->ip_p == IP_PROTO_ICMP || ip->ip_p == IP_PROTO_IGMP) {
 		struct icmp_hdr *icmp = (struct icmp_hdr *)((u_char *)ip + hl);
 		
diff --git a/nmap-services b/nmap-services
index 43cdf9f5e..4934430b8 100644
--- a/nmap-services
+++ b/nmap-services
@@ -31,9 +31,11 @@ rje	5/udp	0.000593	# Remote Job Entry
 unknown	6/tcp	0.000502
 echo	7/tcp	0.004855
 echo	7/udp	0.024679
+echo	7/sctp	0.000000
 unknown	8/tcp	0.000013
 discard	9/tcp	0.003764	# sink null
 discard	9/udp	0.015733	# sink null
+discard	9/sctp	0.000000	# sink null
 unknown	10/tcp	0.000063
 systat	11/tcp	0.000075	# Active Users
 systat	11/udp	0.000577	# Active Users
@@ -50,10 +52,13 @@ chargen	19/tcp	0.002559	# ttytst source Character Generator
 chargen	19/udp	0.015865	# ttytst source Character Generator
 ftp-data	20/tcp	0.001079	# File Transfer [Default Data]
 ftp-data	20/udp	0.001878	# File Transfer [Default Data]
+ftp-data	20/sctp	0.000000	# File Transfer [Default Data]
 ftp	21/tcp	0.197667	# File Transfer [Control]
 ftp	21/udp	0.004844	# File Transfer [Control]
+ftp	21/sctp	0.000000	# File Transfer [Control]
 ssh	22/tcp	0.182286	# Secure Shell Login
 ssh	22/udp	0.003905	# Secure Shell Login
+ssh	22/sctp	0.000000	# Secure Shell Login
 telnet	23/tcp	0.221265
 telnet	23/udp	0.006211
 priv-mail	24/tcp	0.001154	# any private mail system
@@ -153,6 +158,7 @@ finger	79/tcp	0.006022
 finger	79/udp	0.000956
 http	80/tcp	0.484143	# World Wide Web HTTP
 http	80/udp	0.035767	# World Wide Web HTTP
+http	80/sctp	0.000000	# World Wide Web HTTP
 hosts2-ns	81/tcp	0.012056	# HOSTS2 Name Server
 hosts2-ns	81/udp	0.001005	# HOSTS2 Name Server
 xfer	82/tcp	0.002923	# XFER Utility
@@ -323,6 +329,7 @@ xdmcp	177/udp	0.018551	# X Display Manager Control Protocol
 nextstep	178/udp	0.000346	# NextStep Window Server
 bgp	179/tcp	0.010538	# Border Gateway Protocol
 bgp	179/udp	0.000494	# Border Gateway Protocol
+bgp	179/sctp	0.000000	# Border Gateway Protocol
 ris	180/tcp	0.000038	# Intergraph
 ris	180/udp	0.000478	# Intergraph
 unify	181/tcp	0.000025
@@ -660,6 +667,7 @@ cvc_hostd	442/tcp	0.000138
 cvc_hostd	442/udp	0.000774
 https	443/tcp	0.208669	# secure http (SSL)
 https	443/udp	0.010840
+https	443/sctp	0.000000
 snpp	444/tcp	0.004466	# Simple Network Paging Protocol
 snpp	444/udp	0.000873	# Simple Network Paging Protocol
 microsoft-ds	445/tcp	0.056944	# SMB directly over IP
@@ -1865,8 +1873,9 @@ unknown	1164/udp	0.000330
 unknown	1165/tcp	0.000152
 unknown	1166/tcp	0.000152
 unknown	1166/udp	0.000330
-unknown	1167/tcp	0.000076
-phone	1167/udp	0.000593	# conference calling
+cisco-ipsla	1167/tcp	0.000076	# Cisco IP SLAs Control Protocol
+cisco-ipsla	1167/udp	0.000593	# Cisco IP SLAs Control Protocol
+cisco-ipsla	1167/sctp	0.000000	# Cisco IP SLAs Control Protocol
 unknown	1168/tcp	0.000076
 unknown	1168/udp	0.000330
 unknown	1169/tcp	0.000380
@@ -2586,7 +2595,9 @@ unknown	1808/tcp	0.000076
 unknown	1811/tcp	0.000076
 unknown	1812/tcp	0.000152
 radius	1812/udp	0.053839	# RADIUS authentication protocol (RFC 2138)
+radius	1812/sctp	0.000000	# RADIUS authentication protocol (RFC 2138)
 radacct	1813/udp	0.010429	# RADIUS accounting protocol (RFC 2139)
+radacct	1813/sctp	0.000000	# RADIUS accounting protocol (RFC 2139)
 unknown	1814/udp	0.000330
 unknown	1815/udp	0.000330
 unknown	1818/udp	0.000330
@@ -2893,6 +2904,7 @@ unknown	2222/tcp	0.000608
 msantipiracy	2222/udp	0.047902	# Microsoft Office OS X antipiracy network monitor
 unknown	2223/udp	0.010902
 unknown	2224/tcp	0.000076
+rcip-itu	2225/sctp	0.000000	# Resource Connection Initiation Protocol
 unknown	2226/udp	0.000330
 ivs-video	2232/tcp	0.000151	# IVS Video default
 ivs-video	2232/udp	0.000626	# IVS Video default
@@ -2998,6 +3010,7 @@ unknown	2417/udp	0.000330
 unknown	2418/tcp	0.000076
 unknown	2418/udp	0.000330
 unknown	2425/tcp	0.000076
+mgcp-gateway	2427/sctp	0.000000
 unknown	2429/udp	0.000330
 venus	2430/tcp	0.000050
 venus	2430/udp	0.000478
@@ -3189,7 +3202,9 @@ unknown	2901/udp	0.000330
 unknown	2902/tcp	0.000076
 extensisportfolio	2903/tcp	0.000100	# Portfolio Server by Extensis Product Group
 unknown	2903/udp	0.000330
-unknown	2904/udp	0.000330
+m2ua	2904/udp	0.000330	# SIGTRAN M2UA
+m2ua	2904/sctp	0.000000	# SIGTRAN M2UA
+m3ua	2905/sctp	0.000000	# SIGTRAN M3UA
 unknown	2908/tcp	0.000076
 unknown	2908/udp	0.000661
 unknown	2909/tcp	0.000228
@@ -3203,7 +3218,9 @@ unknown	2928/udp	0.000330
 unknown	2930/tcp	0.000076
 unknown	2932/udp	0.000330
 unknown	2940/udp	0.000330
-unknown	2944/udp	0.000330
+megaco-h248	2944/udp	0.000330	# Megaco H-248 (Text)
+megaco-h248	2944/sctp	0.000000	# Megaco H-248 (Text)
+h248-binary	2945/sctp	0.000000	# Megaco H-248 (Binary)
 wap-push	2948/udp	0.000791	# Windows Mobile devices often have this
 unknown	2950/udp	0.000330
 unknown	2951/udp	0.000330
@@ -3275,6 +3292,7 @@ unknown	3080/tcp	0.000076
 sj3	3086/tcp	0.000050	# SJ3 (kanji input)
 unknown	3089/tcp	0.000076
 unknown	3094/udp	0.000661
+itu-bicc-stc	3097/sctp	0.000000	# ITU-T Q.1902.1/Q.2150.3
 unknown	3099/udp	0.000330
 unknown	3102/tcp	0.000076
 unknown	3102/udp	0.000330
@@ -3488,6 +3506,7 @@ unknown	3544/udp	0.000661
 unknown	3546/tcp	0.000304
 unknown	3551/tcp	0.000380
 unknown	3555/udp	0.000330
+m2pa	3565/sctp	0.000000	# M2PA
 unknown	3569/udp	0.000991
 unknown	3571/udp	0.000330
 unknown	3573/udp	0.000330
@@ -3630,8 +3649,11 @@ unknown	3853/tcp	0.000152
 unknown	3856/tcp	0.000076
 unknown	3859/tcp	0.000152
 unknown	3860/tcp	0.000076
-unknown	3863/tcp	0.000152
-unknown	3868/tcp	0.000076
+asap-tcp	3863/tcp	0.000152	# RSerPool ASAP (TCP)
+asap-sctp	3863/sctp	0.000000	# RSerPool ASAP (SCTP)
+asap-sctp-tls	3864/sctp	0.000000	# RSerPool ASAP/TLS (SCTP)
+diameter	3868/tcp	0.000076	# DIAMETER
+diameter	3868/sctp	0.000000	# DIAMETER
 unknown	3869/tcp	0.000228
 unknown	3869/udp	0.000330
 unknown	3870/tcp	0.000152
@@ -4048,6 +4070,8 @@ unknown	4712/tcp	0.000076
 unknown	4713/udp	0.000330
 unknown	4726/udp	0.000330
 unknown	4734/udp	0.000330
+ipfix	4739/sctp	0.000000	# IP Flow Info Export
+ipfixs	4740/sctp	0.000000	# IP Flow Info Export over DTLS
 unknown	4741/udp	0.000330
 unknown	4743/udp	0.000330
 unknown	4745/tcp	0.000076
@@ -4184,8 +4208,10 @@ unknown	5056/udp	0.000330
 unknown	5059/udp	0.000330
 sip	5060/tcp	0.010613	# Session Initiation Protocol (SIP)
 sip	5060/udp	0.044350	# Session Initiation Protocol (SIP)
-unknown	5061/tcp	0.000228
-unknown	5061/udp	0.000330
+sip	5060/sctp	0.000000	# Session Initiation Protocol (SIP)
+sip-tls	5061/tcp	0.000228	# SIP-TLS
+sip-tls	5061/udp	0.000330	# SIP-TLS
+sip-tls	5061/sctp	0.000000	# SIP-TLS
 unknown	5063/tcp	0.000152
 unknown	5066/tcp	0.000076
 unknown	5068/udp	0.000330
@@ -4202,6 +4228,8 @@ unknown	5087/tcp	0.000228
 unknown	5088/tcp	0.000076
 unknown	5090/tcp	0.000076
 unknown	5090/udp	0.000330
+car	5090/sctp	0.000000	# Candidate AR
+cxtp	5091/sctp	0.000000	# Context Transfer Protocol
 unknown	5093/udp	0.003304
 unknown	5094/udp	0.000330
 unknown	5095/tcp	0.000076
@@ -4435,7 +4463,9 @@ unknown	5665/tcp	0.000076
 nrpe	5666/tcp	0.006614	# Nagios NRPE
 unknown	5667/tcp	0.000076
 unknown	5667/udp	0.000330
-unknown	5672/tcp	0.000076
+amqp	5672/tcp	0.000076	# AMQP
+amqp	5672/sctp	0.000000	# AMQP
+v5ua	5675/sctp	0.000000	# V5UA application port
 unknown	5678/tcp	0.000228
 activesync	5679/tcp	0.000590	# Microsoft ActiveSync PDY synchronization
 canna	5680/tcp	0.000151	# Canna (Japanese Input)
@@ -5133,6 +5163,7 @@ unknown	7609/udp	0.000330
 unknown	7613/udp	0.000661
 unknown	7617/udp	0.000330
 unknown	7625/tcp	0.000380
+simco	7626/sctp	0.000000	# SImple Middlebox COnfiguration (SIMCO)
 unknown	7627/tcp	0.000380
 unknown	7628/tcp	0.000076
 unknown	7630/udp	0.000330
@@ -5432,8 +5463,9 @@ unknown	8455/udp	0.000330
 unknown	8458/udp	0.000330
 unknown	8468/udp	0.000330
 unknown	8470/tcp	0.000076
-unknown	8471/tcp	0.000076
-unknown	8471/udp	0.000330
+pim-port	8471/tcp	0.000076	# PIM over Reliable Transport
+pim-port	8471/udp	0.000330	# PIM over Reliable Transport
+pim-port	8471/sctp	0.000000	# PIM over Reliable Transport
 unknown	8472/tcp	0.000076
 unknown	8473/udp	0.000330
 unknown	8474/tcp	0.000076
@@ -5624,7 +5656,8 @@ unknown	9079/udp	0.000661
 unknown	9080/tcp	0.000380
 unknown	9080/udp	0.000330
 unknown	9081/tcp	0.000228
-unknown	9084/tcp	0.000076
+aurora	9084/tcp	0.000076	# IBM AURORA Performance Visualizer
+aurora	9084/sctp	0.000000	# IBM AURORA Performance Visualizer
 unknown	9085/udp	0.000330
 unknown	9086/udp	0.000330
 unknown	9088/udp	0.000330
@@ -5890,8 +5923,12 @@ unknown	9893/udp	0.000330
 unknown	9894/udp	0.000330
 unknown	9897/udp	0.000661
 unknown	9898/tcp	0.000228
-unknown	9900/tcp	0.000380
+sctp-tunneling	9899/sctp	0.000000	# SCTP Tunneling
+iua	9900/tcp	0.000380	# IUA
+iua	9900/sctp	0.000000	# IUA
 unknown	9901/tcp	0.000076
+enrp-sctp	9901/sctp	0.000000	# ENRP server channel
+enrp-sctp-tls	9902/sctp	0.000000	# ENRP/TLS server channel
 unknown	9908/tcp	0.000076
 unknown	9909/tcp	0.000076
 unknown	9910/tcp	0.000076
@@ -6367,8 +6404,11 @@ unknown	11982/udp	0.000330
 unknown	11988/udp	0.000330
 unknown	11991/udp	0.000330
 unknown	11997/udp	0.000330
+wmereceiving	11997/sctp	0.000000	# WorldMailExpress
 unknown	11998/udp	0.000330
+wmedistribution	11998/sctp	0.000000	# WorldMailExpress
 unknown	11999/udp	0.000330
+wmereporting	11999/sctp	0.000000	# WorldMailExpress
 cce4x	12000/tcp	0.000427	# ClearCommerce Engine 4.x (www.clearcommerce.com)
 unknown	12000/udp	0.000661
 unknown	12001/tcp	0.000076
@@ -6807,7 +6847,8 @@ unknown	13989/udp	0.000330
 unknown	13992/udp	0.000330
 unknown	13996/udp	0.000330
 unknown	14000/tcp	0.000380
-unknown	14001/tcp	0.000076
+sua	14001/tcp	0.000076	# SUA
+sua	14001/sctp	0.000000	# SUA
 unknown	14006/udp	0.000330
 unknown	14034/udp	0.000330
 unknown	14035/udp	0.000330
@@ -8369,6 +8410,7 @@ unknown	20039/udp	0.000654
 unknown	20041/udp	0.000654
 unknown	20045/udp	0.000654
 unknown	20048/udp	0.000654
+nfsrdma	20049/sctp	0.000000	# Network File System (NFS) over RDMA
 unknown	20052/tcp	0.000076
 unknown	20055/udp	0.000654
 unknown	20056/udp	0.000654
diff --git a/nmap.cc b/nmap.cc
index b22a5ab0b..8c968cfb8 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -216,7 +216,7 @@ printf("%s %s ( %s )\n"
        "  -sL: List Scan - simply list targets to scan\n"
        "  -sP: Ping Scan - go no further than determining if host is online\n"
        "  -PN: Treat all hosts as online -- skip host discovery\n"
-       "  -PS/PA/PU[portlist]: TCP SYN/ACK or UDP discovery to given ports\n"
+       "  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports\n"
        "  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes\n"
        "  -PO[protocol list]: IP Protocol Ping\n"
        "  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]\n"
@@ -229,6 +229,7 @@ printf("%s %s ( %s )\n"
        "  -sN/sF/sX: TCP Null, FIN, and Xmas scans\n"
        "  --scanflags <flags>: Customize TCP scan flags\n"
        "  -sI <zombie host[:probeport]>: Idle scan\n"
+       "  -sY/sZ: SCTP INIT/COOKIE-ECHO scans\n"
        "  -sO: IP protocol scan\n"
        "  -b <FTP relay host>: FTP bounce scan\n"
        "PORT SPECIFICATION AND SCAN ORDER:\n"
@@ -280,7 +281,8 @@ printf("%s %s ( %s )\n"
        "  --ip-options <options>: Send packets with specified ip options\n"
        "  --ttl <val>: Set IP time-to-live field\n"
        "  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address\n"
-       "  --badsum: Send packets with a bogus TCP/UDP checksum\n"
+       "  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum\n"
+       "  --adler32: Use deprecated Adler32 instead of CRC32C for SCTP checksums\n"
        "OUTPUT:\n"
        "  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,\n"
        "     and Grepable format, respectively, to the given filename.\n"
@@ -673,6 +675,7 @@ int nmap_main(int argc, char *argv[]) {
       {"min-rate", required_argument, 0, 0},
       {"max_rate", required_argument, 0, 0},
       {"max-rate", required_argument, 0, 0},
+      {"adler32", no_argument, 0, 0},
       {"stats_every", required_argument, 0, 0},
       {"stats-every", required_argument, 0, 0},
       {0, 0, 0, 0}
@@ -936,6 +939,8 @@ int nmap_main(int argc, char *argv[]) {
       } else if(optcmp(long_options[option_index].name, "max-rate") == 0) {
         if (sscanf(optarg, "%f", &o.max_packet_send_rate) != 1 || o.max_packet_send_rate <= 0.0)
           fatal("Argument to --max-rate must be a positive floating-point number");
+      } else if (optcmp(long_options[option_index].name, "adler32") == 0) {
+        o.adler32 = true;
       } else if(optcmp(long_options[option_index].name, "stats-every") == 0) {
 	l = tval2msecs(optarg);
 	if (l < 0) fatal("Argument to --stats-every cannot be negative.");
@@ -1120,6 +1125,19 @@ int nmap_main(int argc, char *argv[]) {
 	  assert(ports.udp_ping_count > 0);
 	}
       }
+      else if (*optarg == 'Y') {
+	if (ports.sctp_ping_count > 0)
+	  fatal("Only one -PY option is allowed. Combine port ranges with commas.");
+	o.pingtype |= (PINGTYPE_SCTP_INIT);
+	if (*(optarg + 1) != '\0') {
+	  getpts_simple(optarg + 1, SCAN_SCTP_PORT, &ports.sctp_ping_ports, &ports.sctp_ping_count);
+	  if (ports.sctp_ping_count <= 0)
+	    fatal("Bogus argument to -PY: %s", optarg + 1);
+	} else {
+	  getpts_simple(DEFAULT_SCTP_PROBE_PORT_SPEC, SCAN_SCTP_PORT, &ports.sctp_ping_ports, &ports.sctp_ping_count);
+	  assert(ports.sctp_ping_count > 0);
+	}
+      }
       else if (*optarg == 'B') {
 	if (ports.ack_ping_count > 0)
 	  fatal("Only one -PB, -PA, or -PT option is allowed. Combine port ranges with commas.");
@@ -1193,6 +1211,8 @@ int nmap_main(int argc, char *argv[]) {
 	case 'V':  o.servicescan = 1; break;
 	case 'W':  o.windowscan = 1; break;
 	case 'X':  o.xmasscan++; break;
+	case 'Y':  o.sctpinitscan = 1; break;
+	case 'Z':  o.sctpcookieechoscan = 1; break;
 	default:  error("Scantype %c not supported\n",*p); printusage(argv[0], -1); break;
 	}
 	p++;
@@ -1220,6 +1240,7 @@ int nmap_main(int argc, char *argv[]) {
 	o.setMaxRttTimeout(1250);
 	o.setInitialRttTimeout(500);
         o.setMaxTCPScanDelay(10);
+        o.setMaxSCTPScanDelay(10);
         o.setMaxRetransmissions(6);
       } else if (*optarg == '5' || (strcasecmp(optarg, "Insane") == 0)) {
 	o.timing_level = 5;
@@ -1228,6 +1249,7 @@ int nmap_main(int argc, char *argv[]) {
 	o.setInitialRttTimeout(250);
 	o.host_timeout = 900000;
         o.setMaxTCPScanDelay(5);
+        o.setMaxSCTPScanDelay(5);
         o.setMaxRetransmissions(2);
       } else {
 	fatal("Unknown timing mode (-T argument).  Use either \"Paranoid\", \"Sneaky\", \"Polite\", \"Normal\", \"Aggressive\", \"Insane\" or a number from 0 (Paranoid) to 5 (Insane)");
@@ -1259,6 +1281,7 @@ int nmap_main(int argc, char *argv[]) {
     o.scan_delay = pre_scan_delay;
     if (o.scan_delay > o.maxTCPScanDelay()) o.setMaxTCPScanDelay(o.scan_delay);
     if (o.scan_delay > o.maxUDPScanDelay()) o.setMaxUDPScanDelay(o.scan_delay);
+    if (o.scan_delay > o.maxSCTPScanDelay()) o.setMaxSCTPScanDelay(o.scan_delay);
     o.max_parallelism = 1;
     if(pre_max_parallelism != -1)
       fatal("You can't use --max-parallelism with --scan-delay.");
@@ -1266,6 +1289,7 @@ int nmap_main(int argc, char *argv[]) {
   if (pre_max_scan_delay != -1) {
     o.setMaxTCPScanDelay(pre_max_scan_delay);
     o.setMaxUDPScanDelay(pre_max_scan_delay);
+    o.setMaxSCTPScanDelay(pre_max_scan_delay);
   }
   if (pre_init_rtt_timeout != -1) o.setInitialRttTimeout(pre_init_rtt_timeout);
   if (pre_min_rtt_timeout != -1) o.setMinRttTimeout(pre_min_rtt_timeout);
@@ -1360,7 +1384,7 @@ int nmap_main(int argc, char *argv[]) {
   }
 
   // Uncomment the following line to use the common lisp port spec test suite
-  //printf("port spec: (%d %d %d)\n", ports.tcp_count, ports.udp_count, ports.prot_count); exit(0);
+  //printf("port spec: (%d %d %d %d)\n", ports.tcp_count, ports.udp_count, ports.stcp_count, ports.prot_count); exit(0);
 
 #ifdef WIN32
   if (o.sendpref & PACKET_SEND_IP) {
@@ -1421,6 +1445,8 @@ int nmap_main(int argc, char *argv[]) {
    */
   if ((o.TCPScan()) && ports.tcp_count == 0)
     error("WARNING: a TCP scan type was requested, but no tcp ports were specified.  Skipping this scan type.");
+  if (o.SCTPScan() && ports.sctp_count == 0)
+    error("WARNING: a SCTP scan type was requested, but no sctp ports were specified.  Skipping this scan type.");
   if (o.UDPScan() && ports.udp_count == 0)
     error("WARNING: UDP scan was requested, but no udp ports were specified.  Skipping this scan type.");
   if (o.ipprotscan && ports.prot_count == 0)
@@ -1517,7 +1543,7 @@ int nmap_main(int argc, char *argv[]) {
   /* Before we randomize the ports scanned, lets output them to machine 
      parseable output */
   if (o.verbose)
-    output_ports_to_machine_parseable_output(&ports, o.TCPScan(), o.udpscan, o.ipprotscan);
+    output_ports_to_machine_parseable_output(&ports, o.TCPScan(), o.UDPScan(), o.SCTPScan(), o.ipprotscan);
 
   /* more fakeargv junk, BTW malloc'ing extra space in argv[0] doesn't work */
   if (quashargv) {
@@ -1547,7 +1573,7 @@ int nmap_main(int argc, char *argv[]) {
     log_write(LOG_PLAIN, "--------------- Timing report ---------------\n");
     log_write(LOG_PLAIN, "  hostgroups: min %d, max %d\n", o.minHostGroupSz(), o.maxHostGroupSz());
     log_write(LOG_PLAIN, "  rtt-timeouts: init %d, min %d, max %d\n", o.initialRttTimeout(), o.minRttTimeout(), o.maxRttTimeout());
-    log_write(LOG_PLAIN, "  max-scan-delay: TCP %d, UDP %d\n", o.maxTCPScanDelay(), o.maxUDPScanDelay());
+    log_write(LOG_PLAIN, "  max-scan-delay: TCP %d, UDP %d, SCTP %d\n", o.maxTCPScanDelay(), o.maxUDPScanDelay(), o.maxSCTPScanDelay());
     log_write(LOG_PLAIN, "  parallelism: min %d, max %d\n", o.min_parallelism, o.max_parallelism);
     log_write(LOG_PLAIN, "  max-retries: %d, host-timeout: %ld\n", o.getMaxRetransmissions(), o.host_timeout);
     log_write(LOG_PLAIN, "  min-rate: %g, max-rate: %g\n", o.min_packet_send_rate, o.max_packet_send_rate);
@@ -1561,6 +1587,8 @@ int nmap_main(int argc, char *argv[]) {
     PortList::initializePortMap(IPPROTO_TCP, ports.tcp_ports, ports.tcp_count);
   if (o.UDPScan())
     PortList::initializePortMap(IPPROTO_UDP, ports.udp_ports, ports.udp_count);
+  if (o.SCTPScan())
+    PortList::initializePortMap(IPPROTO_SCTP, ports.sctp_ports, ports.sctp_count);
   
   if  (randomize) {
     if (ports.tcp_count) {
@@ -1570,6 +1598,8 @@ int nmap_main(int argc, char *argv[]) {
     }
     if (ports.udp_count) 
       shortfry(ports.udp_ports, ports.udp_count); 
+    if (ports.sctp_count) 
+      shortfry(ports.sctp_ports, ports.sctp_count); 
     if (ports.prot_count) 
       shortfry(ports.prots, ports.prot_count); 
   }
@@ -1776,6 +1806,12 @@ int nmap_main(int argc, char *argv[]) {
     if (o.connectscan)
       ultra_scan(Targets, &ports, CONNECT_SCAN);
     
+    if (o.sctpinitscan)
+      ultra_scan(Targets, &ports, SCTP_INIT_SCAN);
+    
+    if (o.sctpcookieechoscan)
+      ultra_scan(Targets, &ports, SCTP_COOKIE_ECHO_SCAN);
+    
     if (o.ipprotscan)
       ultra_scan(Targets, &ports, IPPROT_SCAN);
     
@@ -2136,12 +2172,14 @@ void getpts(const char *origexpr, struct scan_lists *ports) {
   u8 *porttbl;
   int range_type = 0;
   int portwarning = 0;
-  int i, tcpi, udpi, proti;
+  int i, tcpi, udpi, sctpi, proti;
 
   if (o.TCPScan())
     range_type |= SCAN_TCP_PORT;
   if (o.UDPScan())
     range_type |= SCAN_UDP_PORT;
+  if (o.SCTPScan())
+    range_type |= SCAN_SCTP_PORT;
   if (o.ipprotscan)
     range_type |= SCAN_PROTOCOLS;
 
@@ -2150,22 +2188,25 @@ void getpts(const char *origexpr, struct scan_lists *ports) {
   getpts_aux(origexpr,      // Pass on the expression
              0,             // Don't start off nested
              porttbl,       // Our allocated port table
-             range_type,    // Defaults to TCP/UDP/Protos
+             range_type,    // Defaults to TCP/UDP/SCTP/Protos
              &portwarning); // No, we haven't warned them about dup ports yet
 
   ports->tcp_count = 0;
   ports->udp_count = 0;
+  ports->sctp_count = 0;
   ports->prot_count = 0;
   for(i = 0; i <= 65535; i++) {
     if (porttbl[i] & SCAN_TCP_PORT)
       ports->tcp_count++;
     if (porttbl[i] & SCAN_UDP_PORT)
       ports->udp_count++;
+    if (porttbl[i] & SCAN_SCTP_PORT)
+      ports->sctp_count++;
     if (porttbl[i] & SCAN_PROTOCOLS && i < 256)
       ports->prot_count++;
   }
 
-  if (range_type != 0 && 0 == (ports->tcp_count + ports->udp_count + ports->prot_count))
+  if (range_type != 0 && 0 == (ports->tcp_count + ports->udp_count + ports->sctp_count + ports->prot_count))
     fatal("No ports specified -- If you really don't want to scan any ports use ping scan...");
 
   if (ports->tcp_count) {
@@ -2174,15 +2215,20 @@ void getpts(const char *origexpr, struct scan_lists *ports) {
   if (ports->udp_count) {
     ports->udp_ports = (unsigned short *)safe_zalloc(ports->udp_count * sizeof(unsigned short));
   }
+  if (ports->sctp_count) {
+    ports->sctp_ports = (unsigned short *)safe_zalloc(ports->sctp_count * sizeof(unsigned short));
+  }
   if (ports->prot_count) {
     ports->prots = (unsigned short *)safe_zalloc(ports->prot_count * sizeof(unsigned short));
   }
 
-  for(i=tcpi=udpi=proti=0; i <= 65535; i++) {
+  for(i=tcpi=udpi=sctpi=proti=0; i <= 65535; i++) {
     if (porttbl[i] & SCAN_TCP_PORT)
       ports->tcp_ports[tcpi++] = i;
     if (porttbl[i] & SCAN_UDP_PORT)
       ports->udp_ports[udpi++] = i;
+    if (porttbl[i] & SCAN_SCTP_PORT)
+      ports->sctp_ports[sctpi++] = i;
     if (porttbl[i] & SCAN_PROTOCOLS && i < 256)
       ports->prots[proti++] = i;
   }
@@ -2192,7 +2238,7 @@ void getpts(const char *origexpr, struct scan_lists *ports) {
 
 /* This function is like getpts except it only allocates space for and stores
   values into one unsigned short array, instead of an entire scan_lists struct
-  For that reason, T:, U:, and P: restrictions are not allowed and only one
+  For that reason, T:, U:, S: and P: restrictions are not allowed and only one
   bit in range_type may be set. */
 void getpts_simple(const char *origexpr, int range_type,
                    unsigned short **list, int *count) {
@@ -2264,6 +2310,11 @@ static void getpts_aux(const char *origexpr, int nested, u8 *porttbl, int range_
           range_type = SCAN_UDP_PORT;
           continue;
       }
+      if (*current_range == 'S' && *++current_range == ':') {
+          current_range++;
+          range_type = SCAN_SCTP_PORT;
+          continue;
+      }
       if (*current_range == 'P' && *++current_range == ':') {
           current_range++;
           range_type = SCAN_PROTOCOLS;
@@ -2381,6 +2432,10 @@ static void getpts_aux(const char *origexpr, int nested, u8 *porttbl, int range_
               nmap_getservbyport(htons(rangestart), "udp")) {
             porttbl[rangestart] |= SCAN_UDP_PORT;
           }
+          if ((range_type & SCAN_SCTP_PORT) &&
+              nmap_getservbyport(htons(rangestart), "sctp")) {
+            porttbl[rangestart] |= SCAN_SCTP_PORT;
+          }
           if ((range_type & SCAN_PROTOCOLS) &&
               nmap_getprotbynum(htons(rangestart))) {
             porttbl[rangestart] |= SCAN_PROTOCOLS;
@@ -2412,6 +2467,7 @@ static void getpts_aux(const char *origexpr, int nested, u8 *porttbl, int range_
 void free_scan_lists(struct scan_lists *ports) {
   if (ports->tcp_ports) free(ports->tcp_ports);
   if (ports->udp_ports) free(ports->udp_ports);
+  if (ports->sctp_ports) free(ports->sctp_ports);
   if (ports->prots) free(ports->prots);
   if (ports->syn_ping_ports) free(ports->syn_ping_ports);
   if (ports->ack_ping_ports) free(ports->ack_ping_ports);
@@ -2513,6 +2569,8 @@ const char *scantype2str(stype scantype) {
   case CONNECT_SCAN: return "Connect Scan"; break;
   case NULL_SCAN: return "NULL Scan"; break;
   case WINDOW_SCAN: return "Window Scan"; break;
+  case SCTP_INIT_SCAN: return "SCTP INIT Scan"; break;
+  case SCTP_COOKIE_ECHO_SCAN: return "SCTP COOKIE-ECHO Scan"; break;
   case RPC_SCAN: return "RPCGrind Scan"; break;
   case MAIMON_SCAN: return "Maimon Scan"; break;
   case IPPROT_SCAN: return "IPProto Scan"; break;
diff --git a/nmap.h b/nmap.h
index 912d6fb15..0ecc2ddf3 100644
--- a/nmap.h
+++ b/nmap.h
@@ -218,6 +218,11 @@ void *realloc();
 #include <arpa/inet.h>
 #endif
 
+/* For systems without SCTP in netinet/in.h, such as MacOS X */
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
+
 /* Keep assert() defined for security reasons */
 #undef NDEBUG
 
@@ -271,6 +276,9 @@ void *realloc();
                                             change this to 113 */
 #define DEFAULT_UDP_PROBE_PORT_SPEC "31338" /* The port UDP ping probes go to
                                                if unspecified by user */
+#define DEFAULT_SCTP_PROBE_PORT_SPEC "80" /* The port SCTP probes go to
+                                             if unspecified by
+                                             user */
 #define DEFAULT_PROTO_PROBE_PORT_SPEC "1,2,4" /* The IPProto ping probes to use
                                                  if unspecified by user */
 
@@ -290,6 +298,10 @@ void *realloc();
 #define MAX_UDP_SCAN_DELAY 1000
 #endif
 
+#ifndef MAX_SCTP_SCAN_DELAY
+#define MAX_SCTP_SCAN_DELAY 1000
+#endif
+
 /* Maximum number of extra hostnames, OSs, and devices, we
    consider when outputing the extra service info fields */
 #define MAX_SERVICE_INFO_FIELDS 5
@@ -339,6 +351,7 @@ void *realloc();
 #define PINGTYPE_UDP  512
 #define PINGTYPE_ARP 1024
 #define PINGTYPE_PROTO 2048
+#define PINGTYPE_SCTP_INIT 4096
 
 /* Empirically determined optimum combinations of different numbers of probes:
      -PE
diff --git a/nse_main.cc b/nse_main.cc
index d0bda9eac..9da5c496c 100644
--- a/nse_main.cc
+++ b/nse_main.cc
@@ -81,7 +81,8 @@ static int ports (lua_State *L)
   Port *current = NULL;
   lua_newtable(L);
   for (int i = 0; states[i] != PORT_HIGHEST_STATE; i++)
-    while ((current = plist->nextPort(current, TCPANDUDP, states[i])) != NULL)
+    while ((current = plist->nextPort(current, TCPANDUDPANDSCTP,
+            states[i])) != NULL)
     {
       lua_newtable(L);
       set_portinfo(L, current);
diff --git a/nse_nmaplib.cc b/nse_nmaplib.cc
index c0543219e..2733e46a7 100644
--- a/nse_nmaplib.cc
+++ b/nse_nmaplib.cc
@@ -14,6 +14,7 @@ extern "C" {
 #include "nmap_rpc.h"
 #include "nmap_dns.h"
 #include "osscan.h"
+#include "protocols.h"
 
 /* #include "output.h"  UNNECESSARY?? */
 
@@ -115,7 +116,7 @@ void set_portinfo(lua_State *L, Port* port) {
   lua_pushstring(L, sd.name);
   lua_setfield(L, -2, "service");
 
-  lua_pushstring(L, (port->proto == IPPROTO_TCP)? "tcp": "udp");
+  lua_pushstring(L, IPPROTO2STR(port->proto));
   lua_setfield(L, -2, "protocol");
 
   lua_newtable(L);
@@ -353,7 +354,8 @@ Port *get_port (lua_State *L, Target *target, int index)
   portno = (int) lua_tointeger(L, -2);
   protocol = strcmp(lua_tostring(L, -1), "tcp") == 0 ? IPPROTO_TCP :
              strcmp(lua_tostring(L, -1), "udp") == 0 ? IPPROTO_UDP :
-             luaL_error(L, "port 'protocol' field must be \"udp\" or \"tcp\"");
+             strcmp(lua_tostring(L, -1), "sctp") == 0 ? IPPROTO_SCTP :
+             luaL_error(L, "port 'protocol' field must be \"udp\", \"sctp\" or \"tcp\"");
   while ((port = target->ports.nextPort(port, protocol, PORT_UNKNOWN)) != NULL)
     if (port->portno == portno)
       break;
diff --git a/nse_nsock.cc b/nse_nsock.cc
index 25b3a6908..1e1b87ab0 100644
--- a/nse_nsock.cc
+++ b/nse_nsock.cc
@@ -20,6 +20,7 @@ extern "C"
 #include "NmapOps.h"
 #include "utils.h"
 #include "tcpip.h"
+#include "protocols.h"
 
 #if HAVE_OPENSSL
 #  include <openssl/ssl.h>
@@ -754,9 +755,7 @@ void l_nsock_receive_handler(nsock_pool nsp, nsock_event nse, void *yield)
 void l_nsock_trace(nsock_iod nsiod, const char *message, int direction)
 {
   int status;
-
   int protocol;
-
   int af;
 
   struct sockaddr local;
@@ -773,7 +772,7 @@ void l_nsock_trace(nsock_iod nsiod, const char *message, int direction)
         &local, &remote, sizeof(sockaddr));
     log_write(LOG_STDOUT, "%s: %s %s:%d %s %s:%d | %s\n",
         SCRIPT_ENGINE,
-        (protocol == IPPROTO_TCP) ? "TCP" : "UDP",
+        IPPROTO2STR_UC(protocol),
         inet_ntop_both(af, &local, ipstring_local),
         inet_port_both(af, &local),
         (direction == TO) ? ">" : "<",
diff --git a/output.cc b/output.cc
index b5792ec95..bd3db855a 100644
--- a/output.cc
+++ b/output.cc
@@ -509,7 +509,7 @@ static char* formatScriptOutput(ScriptResult sr) {
    output and the XML output.  It is pretty ugly -- in particular I
    should write helper functions to handle the table creation */
 void printportoutput(Target *currenths, PortList *plist) {
-  char protocol[4];
+  char protocol[MAX_IPPROTOSTRLEN+1];
   char rpcinfo[64];
   char rpcmachineinfo[64];
   char portinfo[64];
@@ -701,11 +701,11 @@ void printportoutput(Target *currenths, PortList *plist) {
     }
   } else {
     current = NULL;
-    while( (current=plist->nextPort(current, TCPANDUDP, 0))!=NULL ) {
+    while( (current=plist->nextPort(current, TCPANDUDPANDSCTP, 0))!=NULL ) {
       if (!plist->isIgnoredState(current->state)) {
 	if (!first) log_write(LOG_MACHINE,", ");
 	else first = 0;
-	strcpy(protocol,(current->proto == IPPROTO_TCP)? "tcp": "udp");
+	strcpy(protocol, IPPROTO2STR(current->proto));
 	Snprintf(portinfo, sizeof(portinfo), "%d/%s", current->portno, protocol);
 	state = statenum2str(current->state);
 	current->getServiceDeductions(&sd);
@@ -1205,9 +1205,10 @@ char outpbuf[128];
    in sequential order for space savings and easier to read output */
 void output_ports_to_machine_parseable_output(struct scan_lists *ports, 
 					      int tcpscan, int udpscan,
-					      int protscan) {
+					      int sctpscan, int protscan) {
   int tcpportsscanned = ports->tcp_count;
   int udpportsscanned = ports->udp_count;
+  int sctpportsscanned = ports->sctp_count;
   int protsscanned = ports->prot_count;
  log_write(LOG_MACHINE, "# Ports scanned: TCP(%d;", tcpportsscanned);
  if (tcpportsscanned)
@@ -1215,6 +1216,9 @@ void output_ports_to_machine_parseable_output(struct scan_lists *ports,
  log_write(LOG_MACHINE, ") UDP(%d;", udpportsscanned);
  if (udpportsscanned)
    output_rangelist_given_ports(LOG_MACHINE, ports->udp_ports, udpportsscanned);
+ log_write(LOG_MACHINE, ") SCTP(%d;", sctpportsscanned);
+ if (sctpportsscanned)
+   output_rangelist_given_ports(LOG_MACHINE, ports->sctp_ports, sctpportsscanned);
  log_write(LOG_MACHINE, ") PROTOCOLS(%d;", protsscanned);
  if (protsscanned)
    output_rangelist_given_ports(LOG_MACHINE, ports->prots, protsscanned);
@@ -1279,6 +1283,10 @@ void output_xml_scaninfo_records(struct scan_lists *scanlist) {
     doscaninfo("fin", "tcp", scanlist->tcp_ports, scanlist->tcp_count);
   if (o.udpscan) 
     doscaninfo("udp", "udp", scanlist->udp_ports, scanlist->udp_count);
+  if (o.sctpinitscan) 
+    doscaninfo("sctpinit", "sctp", scanlist->sctp_ports, scanlist->sctp_count);
+  if (o.sctpcookieechoscan) 
+    doscaninfo("sctpcookieecho", "sctp", scanlist->sctp_ports, scanlist->sctp_count);
   if (o.ipprotscan) 
     doscaninfo("ipproto", "ip", scanlist->prots, scanlist->prot_count); 
   log_flush_all();
@@ -1782,7 +1790,7 @@ void printserviceinfooutput(Target *currenths) {
   for (i=0; i<MAX_SERVICE_INFO_FIELDS; i++)
     hostname_tbl[i][0] = ostype_tbl[i][0] = devicetype_tbl[i][0] = '\0';
 
-  while ((p = currenths->ports.nextPort(p, TCPANDUDP, PORT_OPEN))) {
+  while ((p = currenths->ports.nextPort(p, TCPANDUDPANDSCTP, PORT_OPEN))) {
     // The following 2 lines (from portlist.h) tell us that we don't
     // need to worry about free()ing anything in the serviceDeductions struct.
       // pass in an allocated struct serviceDeductions (don't wory about initializing, and
diff --git a/output.h b/output.h
index 3b7c22d14..b1142b8c7 100644
--- a/output.h
+++ b/output.h
@@ -171,7 +171,7 @@ int log_open(int logt, int append, char *filename);
    in sequential order for space savings and easier to read output */
 void output_ports_to_machine_parseable_output(struct scan_lists *ports, 
 					      int tcpscan, int udpscan,
-					      int protscan);
+					      int sctpscan, int protscan);
 
 /* Similar to output_ports_to_machine_parseable_output, this function
    outputs the XML version, which is scaninfo records of each scan
diff --git a/portlist.cc b/portlist.cc
index f12d467ce..dcf5102c4 100644
--- a/portlist.cc
+++ b/portlist.cc
@@ -95,6 +95,7 @@
 #include "nmap.h"
 #include "NmapOps.h"
 #include "services.h"
+#include "protocols.h"
 #include "nmap_rpc.h"
 #include "tcpip.h"
 
@@ -257,7 +258,7 @@ int Port::getServiceDeductions(struct serviceDeductions *sd) {
     populateFullVersionString(sd);
     return 0;
   } else if (serviceprobe_results == PROBESTATE_EXCLUDED) {
-    service = nmap_getservbyport(htons(portno), (proto == IPPROTO_TCP)? "tcp" : "udp");
+    service = nmap_getservbyport(htons(portno), IPPROTO2STR(proto));
 
     if (service) sd->name = service->s_name;
 
@@ -274,7 +275,7 @@ int Port::getServiceDeductions(struct serviceDeductions *sd) {
   }
 
   // So much for service detection or RPC.  Maybe we can find it in the file
-  service = nmap_getservbyport(htons(portno), (proto == IPPROTO_TCP)? "tcp" : "udp");
+  service = nmap_getservbyport(htons(portno), IPPROTO2STR(proto));
   if (service) {
     sd->dtype = SERVICE_DETECTION_TABLE;
     sd->name = service->s_name;
@@ -388,6 +389,7 @@ void Port::setRPCProbeResults(int rpcs, unsigned long rpcp,
 #define INPROTO2PORTLISTPROTO(p)		\
   ((p)==IPPROTO_TCP ? PORTLIST_PROTO_TCP :	\
    (p)==IPPROTO_UDP ? PORTLIST_PROTO_UDP :	\
+   (p)==IPPROTO_SCTP ? PORTLIST_PROTO_SCTP :	\
    PORTLIST_PROTO_IP)
 
 
@@ -540,12 +542,12 @@ int PortList::getStateCounts(int state){
    first "afterthisport".  Then supply the most recent returned port
    for each subsequent call.  When no more matching ports remain, NULL
    will be returned.  To restrict returned ports to just one protocol,
-   specify IPPROTO_TCP or IPPROTO_UDP for allowed_protocol. A TCPANDUDP
-   for allowed_protocol matches either. A 0 for allowed_state matches 
-   all possible states. This function returns ports in numeric
-   order from lowest to highest, except that if you ask for both TCP &
-   UDP, every TCP port will be returned before we start returning UDP
-   ports */
+   specify IPPROTO_TCP, IPPROTO_UDP or IPPROTO_SCTP for
+   allowed_protocol. A TCPANDUDPANDSCTP for allowed_protocol matches
+   either. A 0 for allowed_state matches all possible states. This
+   function returns ports in numeric order from lowest to highest,
+   except that if you ask for both TCP, UDP & SCTP, every TCP port
+   will be returned before we start returning UDP and SCTP ports */
 Port *PortList::nextPort(Port *afterthisport, 
 			 int allowed_protocol, int allowed_state) {
   int proto;
@@ -559,8 +561,10 @@ Port *PortList::nextPort(Port *afterthisport,
     mapped_pno = port_map[proto][afterthisport->portno];
     mapped_pno++; //  we're interested in next port after current
   }else { // running for the first time
-    if(allowed_protocol == TCPANDUDP)	// if both protocols, then first search TCP
+    if (allowed_protocol == TCPANDUDPANDSCTP)
       proto = INPROTO2PORTLISTPROTO(IPPROTO_TCP);
+    else if (allowed_protocol == UDPANDSCTP)
+      proto = INPROTO2PORTLISTPROTO(IPPROTO_UDP);
     else
       proto = INPROTO2PORTLISTPROTO(allowed_protocol);
     mapped_pno = 0;
@@ -574,9 +578,15 @@ Port *PortList::nextPort(Port *afterthisport,
     }
   }
   
-  /* if all protocols, than after TCP search UDP */
-  if(allowed_protocol == TCPANDUDP && proto == INPROTO2PORTLISTPROTO(IPPROTO_TCP))
-    return(nextPort(NULL, IPPROTO_UDP, allowed_state));
+  /* if all protocols, than after TCP search UDP & SCTP */
+  if((!afterthisport && allowed_protocol == TCPANDUDPANDSCTP) ||
+      (afterthisport && proto == INPROTO2PORTLISTPROTO(IPPROTO_TCP)))
+    return(nextPort(NULL, UDPANDSCTP, allowed_state));
+
+  /* if all protocols, than after UDP search SCTP */
+  if((!afterthisport && allowed_protocol == UDPANDSCTP) ||
+      (afterthisport && proto == INPROTO2PORTLISTPROTO(IPPROTO_UDP)))
+    return(nextPort(NULL, IPPROTO_SCTP, allowed_state));
   
   return(NULL); 
 }
diff --git a/portlist.h b/portlist.h
index 6cb800fe8..c1443240e 100644
--- a/portlist.h
+++ b/portlist.h
@@ -113,7 +113,8 @@
 #define PORT_HIGHEST_STATE 9 /* ***IMPORTANT -- BUMP THIS UP WHEN STATES ARE 
 				ADDED *** */
  
-#define TCPANDUDP IPPROTO_MAX
+#define TCPANDUDPANDSCTP IPPROTO_MAX
+#define UDPANDSCTP (IPPROTO_MAX + 1)
 
 #define CONF_NONE 0
 #define CONF_LOW 1
@@ -254,8 +255,9 @@ class Port {
 enum portlist_proto {	// PortList Protocols
   PORTLIST_PROTO_TCP	= 0,
   PORTLIST_PROTO_UDP	= 1,
-  PORTLIST_PROTO_IP	= 2,
-  PORTLIST_PROTO_MAX	= 3
+  PORTLIST_PROTO_SCTP	= 2,
+  PORTLIST_PROTO_IP	= 3,
+  PORTLIST_PROTO_MAX	= 4
 };
 
 class PortList {
@@ -281,12 +283,12 @@ class PortList {
    first "afterthisport".  Then supply the most recent returned port
    for each subsequent call.  When no more matching ports remain, NULL
    will be returned.  To restrict returned ports to just one protocol,
-   specify IPPROTO_TCP or IPPROTO_UDP for allowed_protocol. A TCPANDUDP
-   for allowed_protocol matches either. A 0 for allowed_state matches 
-   all possible states. This function returns ports in numeric
-   order from lowest to highest, except that if you ask for both TCP &
-   UDP, every TCP port will be returned before we start returning UDP
-   ports */
+   specify IPPROTO_TCP, IPPROTO_UDP or UPPROTO_SCTP for
+   allowed_protocol. A TCPANDUDPANDSCTP for allowed_protocol matches
+   either. A 0 for allowed_state matches all possible states. This
+   function returns ports in numeric order from lowest to highest,
+   except that if you ask for TCP, UDP & SCTP, all TCP ports will be
+   returned before we start returning UDP and finally SCTP ports */
    Port *nextPort(Port *afterthisport, 
   	          int allowed_protocol, int allowed_state);
 
diff --git a/portreasons.cc b/portreasons.cc
index 6c4d4f9b1..495b19d16 100644
--- a/portreasons.cc
+++ b/portreasons.cc
@@ -113,7 +113,8 @@ const char *reason_text[ER_MAX+1]={
         "unknown", "admin-prohibited", "unknown", "time-exceeded", "unknown", "unknown",
         "timestamp-reply", "unknown", "unknown", "unknown", "addressmask-reply",
         "no-ipid-change", "ipid-change", "arp-response", "tcp-response",
-        "no-response", "localhost-response", "script-set", "unknown-response","user-set"
+        "no-response", "init-ack", "abort",
+        "localhost-response", "script-set", "unknown-response","user-set"
 };
 
 const char *reason_pl_text[ER_MAX+1]={ 
@@ -125,7 +126,8 @@ const char *reason_pl_text[ER_MAX+1]={
         "unknowns", "admin-prohibiteds", "unknowns", "time-exceededs", "unknowns",
         "unknowns", "timestamp-replies", "unknowns", "unknowns", "unknowns", 
         "addressmask-replies", "no-ipid-changes", "ipid-changes", "arp-responses",
-        "tcp-responses", "no-responses", "localhost-response", "script-set", "unknown-responses"
+        "tcp-responses", "no-responses", "init-acks", "aborts",
+        "localhost-response", "script-set", "unknown-responses"
 };
 
 static void state_reason_summary_init(state_reason_summary_t *r) {
@@ -246,7 +248,7 @@ static unsigned int get_state_summary(state_reason_summary_t *head, PortList *Po
 	Port *current = NULL;
 	state_reason_summary_t *reason;
 	unsigned int total = 0;
-	unsigned short proto = (o.ipprotscan) ? IPPROTO_IP : TCPANDUDP;
+	unsigned short proto = (o.ipprotscan) ? IPPROTO_IP : TCPANDUDPANDSCTP;
 
 	if(head == NULL)
 		return 0;
diff --git a/portreasons.h b/portreasons.h
index 870dde4b0..0aef1f0ef 100644
--- a/portreasons.h
+++ b/portreasons.h
@@ -139,7 +139,8 @@ enum reason_codes {
 
 	ER_ADDRESSMASKREPLY=29, ER_NOIPIDCHANGE, ER_IPIDCHANGE,
 	ER_ARPRESPONSE, ER_TCPRESPONSE, ER_NORESPONSE,
-	ER_LOCALHOST, ER_SCRIPT, ER_UNKNOWN, ER_USER, ER_MAX=ER_USER   /* 39 */
+	ER_INITACK, ER_ABORT,
+	ER_LOCALHOST, ER_SCRIPT, ER_UNKNOWN, ER_USER, ER_MAX=ER_USER   /* 41 */
 };
 
 /* Be careful to update these values if any ICMP
diff --git a/protocols.h b/protocols.h
index 0c828f40f..d2baded2a 100644
--- a/protocols.h
+++ b/protocols.h
@@ -111,4 +111,16 @@ struct protocol_list {
 int addprotocolsfromservmask(char *mask, u8 *porttbl);
 struct protoent *nmap_getprotbynum(int num);
 
+#define MAX_IPPROTOSTRLEN 4
+#define IPPROTO2STR(p)		\
+  ((p)==IPPROTO_TCP ? "tcp" :	\
+   (p)==IPPROTO_UDP ? "udp" :	\
+   (p)==IPPROTO_SCTP ? "sctp" :	\
+   "n/a")
+#define IPPROTO2STR_UC(p)	\
+  ((p)==IPPROTO_TCP ? "TCP" :	\
+   (p)==IPPROTO_UDP ? "UDP" :	\
+   (p)==IPPROTO_SCTP ? "SCTP" :	\
+   "N/A")
+
 #endif
diff --git a/scan_engine.cc b/scan_engine.cc
index bed1f7d10..cd8c75470 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -170,6 +170,8 @@ static const char *pspectype2ascii(int type) {
     return "TCP";
   case PS_UDP:
     return "UDP";
+  case PS_SCTP:
+    return "SCTP";
   case PS_PROTO:
     return "IP Proto";
   case PS_ICMP:
@@ -200,11 +202,16 @@ struct IPExtraProbeData_udp {
   u16 sport;
 };
 
+struct IPExtraProbeData_sctp {
+  u16 sport;
+};
+
 struct IPExtraProbeData {
   u16 ipid; /* host byte order */
   union {
     struct IPExtraProbeData_tcp tcp;
     struct IPExtraProbeData_udp udp;
+    struct IPExtraProbeData_sctp sctp;
   } pd;
 };
 
@@ -227,12 +234,36 @@ public:
   /* Pass an arp packet, including ethernet header. Must be 42bytes */
   void setARP(u8 *arppkt, u32 arplen);
   // The 4 accessors below all return in HOST BYTE ORDER
-// source port used if TCP or UDP
+  // source port used if TCP, UDP or SCTP
   u16 sport() {
-    return (mypspec.proto == IPPROTO_TCP)? probes.IP.pd.tcp.sport : probes.IP.pd.udp.sport; }
-  // destination port used if TCP or UDP
-  u16 dport() { 
-    return (mypspec.proto == IPPROTO_TCP)? mypspec.pd.tcp.dport : mypspec.pd.udp.dport; }
+    switch (mypspec.proto) {
+      case IPPROTO_TCP:
+	return probes.IP.pd.tcp.sport;
+      case IPPROTO_UDP:
+	return probes.IP.pd.udp.sport;
+      case IPPROTO_SCTP:
+	return probes.IP.pd.sctp.sport;
+      default:
+	return 0;
+    }
+    /* not reached */
+  }
+  // destination port used if TCP, UDP or SCTP
+  u16 dport() {
+    switch (mypspec.proto) {
+      case IPPROTO_TCP:
+	return mypspec.pd.tcp.dport;
+      case IPPROTO_UDP:
+	return mypspec.pd.udp.dport;
+      case IPPROTO_SCTP:
+	return mypspec.pd.sctp.dport;
+      default:
+	/* dport() can get called for other protos if we
+	 * get ICMP responses during IP proto scans. */
+	return 0;
+    }
+    /* not reached */
+  }
   u16 ipid() { return probes.IP.ipid; }
   u32 tcpseq(); // TCP sequence number if protocol is TCP
   /* Number, such as IPPROTO_TCP, IPPROTO_UDP, etc. */
@@ -395,6 +426,9 @@ public:
   /* The index of the next UDP port in o.ping_udpprobes to probe during ping
      scan. */
   int next_udpportpingidx;
+  /* The index of the next SCTP port in o.ping_protoprobes to probe during ping
+     scan. */
+  int next_sctpportpingidx;
   /* The index of the next IP protocol in o.ping_protoprobes to probe during ping
      scan. */
   int next_protoportpingidx;
@@ -574,6 +608,7 @@ public:
   stype scantype;
   bool tcp_scan; /* scantype is a type of TCP scan */
   bool udp_scan;
+  bool sctp_scan; /* scantype is a type of SCTP scan */
   bool prot_scan;
   bool ping_scan; /* Includes trad. ping scan & arp scan */
   bool ping_scan_arp; /* ONLY includes arp ping scan */
@@ -667,7 +702,7 @@ static void init_ultra_timing_vals(ultra_timing_vals *timing,
 				   struct ultra_scan_performance_vars *perf,
 				   struct timeval *now);
 
-/* Take a buffer, buf, of size bufsz (32 bytes is sufficient) and 
+/* Take a buffer, buf, of size bufsz (64 bytes is sufficient) and 
    writes a short description of the probe (arg1) into buf.  It also returns 
    buf. */
 static char *probespec2ascii(const probespec *pspec, char *buf, unsigned int bufsz) {
@@ -694,6 +729,20 @@ static char *probespec2ascii(const probespec *pspec, char *buf, unsigned int buf
   case PS_UDP:
     Snprintf(buf, bufsz, "udp to port %hu", pspec->pd.udp.dport);
     break;
+  case PS_SCTP:
+    switch (pspec->pd.sctp.chunktype) {
+      case SCTP_INIT:
+        Strncpy(flagbuf, "INIT", sizeof(flagbuf));
+        break;
+      case SCTP_COOKIE_ECHO:
+        Strncpy(flagbuf, "COOKIE-ECHO", sizeof(flagbuf));
+        break;
+      default:
+        Strncpy(flagbuf, "(unknown)", sizeof(flagbuf));
+    }
+    Snprintf(buf, bufsz, "sctp to port %hu; chunk: %s", pspec->pd.sctp.dport,
+             flagbuf);
+    break;
   case PS_PROTO:
     Snprintf(buf, bufsz, "protocol %u", (unsigned int) pspec->proto);
     break;
@@ -755,6 +804,7 @@ void UltraProbe::setIP(u8 *ippacket, u32 iplen, const probespec *pspec) {
   struct ip *ipv4 = (struct ip *) ippacket;
   struct tcp_hdr *tcp = NULL;
   struct udp_hdr *udp = NULL;
+  struct sctp_hdr *sctp = NULL;
 
   type = UP_IP;
   if (ipv4->ip_v != 4)
@@ -772,6 +822,10 @@ void UltraProbe::setIP(u8 *ippacket, u32 iplen, const probespec *pspec) {
     assert(iplen >= (unsigned) ipv4->ip_hl * 4 + 8);
     udp = (struct udp_hdr *) ((u8 *) ipv4 + ipv4->ip_hl * 4);
     probes.IP.pd.udp.sport = ntohs(udp->uh_sport);
+  } else if (ipv4->ip_p == IPPROTO_SCTP) {
+    assert(iplen >= (unsigned) ipv4->ip_hl * 4 + 12);
+    sctp = (struct sctp_hdr *) ((u8 *) ipv4 + ipv4->ip_hl * 4);
+    probes.IP.pd.sctp.sport = ntohs(sctp->sh_sport);
   }
 
   mypspec = *pspec;
@@ -1022,9 +1076,11 @@ static bool pingprobe_is_appropriate(const UltraScanInfo *USI,
         return USI->scantype == CONNECT_SCAN || (USI->ping_scan && USI->ptech.connecttcpscan);
   case(PS_TCP):
   case(PS_UDP):
+  case(PS_SCTP):
 	return (USI->tcp_scan && USI->scantype != CONNECT_SCAN) ||
             USI->udp_scan ||
-            (USI->ping_scan && (USI->ptech.rawtcpscan || USI->ptech.rawudpscan));
+            USI->sctp_scan ||
+            (USI->ping_scan && (USI->ptech.rawtcpscan || USI->ptech.rawudpscan || USI->ptech.rawsctpscan));
   case(PS_PROTO):
     return USI->prot_scan || (USI->ping_scan && USI->ptech.rawprotoscan);
   case(PS_ICMP):
@@ -1043,6 +1099,7 @@ static int scantype_no_response_means(stype scantype) {
   case ACK_SCAN:
   case WINDOW_SCAN:
   case CONNECT_SCAN:
+  case SCTP_INIT_SCAN:
     return PORT_FILTERED;
   case UDP_SCAN:
   case IPPROT_SCAN:
@@ -1050,6 +1107,7 @@ static int scantype_no_response_means(stype scantype) {
   case FIN_SCAN:
   case MAIMON_SCAN:
   case XMAS_SCAN:
+  case SCTP_COOKIE_ECHO_SCAN:
     return PORT_OPENFILTERED;
   case PING_SCAN:
   case PING_SCAN_ARP:
@@ -1068,6 +1126,7 @@ HostScanStats::HostScanStats(Target *t, UltraScanInfo *UltraSI) {
   next_ackportpingidx = 0;
   next_synportpingidx = 0;
   next_udpportpingidx = 0;
+  next_sctpportpingidx = 0;
   next_protoportpingidx = 0;
   sent_icmp_ping = false;
   sent_icmp_mask = false;
@@ -1342,8 +1401,9 @@ UltraScanInfo::~UltraScanInfo() {
    Basically, any scan type except pure TCP connect scans are raw. */
 bool UltraScanInfo::isRawScan() {
   return scantype != CONNECT_SCAN
-    && (tcp_scan || udp_scan || prot_scan || ping_scan_arp
-      || (ping_scan && (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan || ptech.rawprotoscan)));
+    && (tcp_scan || udp_scan || sctp_scan || prot_scan || ping_scan_arp
+      || (ping_scan && (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan
+        || ptech.rawsctpscan || ptech.rawprotoscan)));
 }
 
  /* A circular buffer of the incompleteHosts.  nextIncompleteHost() gives
@@ -1439,8 +1499,8 @@ void UltraScanInfo::Init(vector<Target *> &Targets, struct scan_lists *pts, styp
   scantype = scantp;
   SPM = new ScanProgressMeter(scantype2str(scantype));
   send_rate_meter.start(&now);
-  tcp_scan = udp_scan = prot_scan = ping_scan = noresp_open_scan = false;
-  ping_scan_arp = false;
+  tcp_scan = udp_scan = sctp_scan = prot_scan = false;
+  ping_scan = noresp_open_scan = ping_scan_arp = false;
   memset((char *) &ptech, 0, sizeof(ptech));
   switch(scantype) {
   case FIN_SCAN:
@@ -1458,6 +1518,10 @@ void UltraScanInfo::Init(vector<Target *> &Targets, struct scan_lists *pts, styp
     noresp_open_scan = true;
     udp_scan = true;
     break;
+  case SCTP_INIT_SCAN:
+  case SCTP_COOKIE_ECHO_SCAN:
+    sctp_scan = true;
+    break;
   case IPPROT_SCAN:
     noresp_open_scan = true;
     prot_scan = true;
@@ -1469,6 +1533,8 @@ void UltraScanInfo::Init(vector<Target *> &Targets, struct scan_lists *pts, styp
       ptech.rawicmpscan = 1;
     if (o.pingtype & PINGTYPE_UDP) 
       ptech.rawudpscan = 1;
+    if (o.pingtype & PINGTYPE_SCTP_INIT)
+      ptech.rawsctpscan = 1;
     if (o.pingtype & PINGTYPE_TCP) {
       if (o.isr00t && o.af() == AF_INET)
         ptech.rawtcpscan = 1;
@@ -1554,6 +1620,8 @@ unsigned int UltraScanInfo::numProbesPerHost()
     numprobes = ports->tcp_count;
   } else if (udp_scan) {
     numprobes = ports->udp_count;
+  } else if (sctp_scan) {
+    numprobes = ports->sctp_count;
   } else if (prot_scan) {
     numprobes = ports->prot_count;
   } else if (ping_scan_arp) {
@@ -1568,6 +1636,8 @@ unsigned int UltraScanInfo::numProbesPerHost()
     }
     if (ptech.rawudpscan)
       numprobes += ports->udp_ping_count;
+    if (ptech.rawsctpscan)
+      numprobes += ports->sctp_ping_count;
     if (ptech.rawicmpscan) {
       if (o.pingtype & PINGTYPE_ICMP_PING)
         numprobes++;
@@ -1755,7 +1825,7 @@ int UltraScanInfo::removeCompletedHosts() {
                   hss->target->targetipstr(), num_outstanding_probes,
                   num_outstanding_probes == 1 ? "probe" : "probes");
         if (o.debugging > 3) {
-          char tmpbuf[32];
+          char tmpbuf[64];
           std::list<UltraProbe *>::iterator iter;
           for (iter = hss->probes_outstanding.begin(); iter != hss->probes_outstanding.end(); iter++)
             log_write(LOG_PLAIN, "* %s\n", probespec2ascii((probespec *) (*iter)->pspec(), tmpbuf, sizeof(tmpbuf)));
@@ -1796,6 +1866,8 @@ int determineScanGroupSize(int hosts_scanned_so_far,
 
   if (o.UDPScan())
     groupsize = 128;
+  else if (o.SCTPScan())
+    groupsize = 128;
   else if (o.TCPScan()) {
     groupsize = MAX(1024 / (ports->tcp_count ? ports->tcp_count : 1), 64);
     if (ports->tcp_count > 1000 && o.timing_level <= 4) {
@@ -1877,7 +1949,23 @@ static int get_next_target_probe(UltraScanInfo *USI, HostScanStats *hss,
     pspec->type = PS_UDP;
     pspec->proto = IPPROTO_UDP;
     pspec->pd.udp.dport = USI->ports->udp_ports[hss->next_portidx++];
-
+    return 0;
+  } else if (USI->sctp_scan) {
+     if (hss->next_portidx >= USI->ports->sctp_count)
+      return -1;
+    pspec->type = PS_SCTP;
+    pspec->proto = IPPROTO_SCTP;
+    pspec->pd.sctp.dport = USI->ports->sctp_ports[hss->next_portidx++];
+    switch (USI->scantype) {
+      case SCTP_INIT_SCAN:
+        pspec->pd.sctp.chunktype = SCTP_INIT;
+        break;
+      case SCTP_COOKIE_ECHO_SCAN:
+        pspec->pd.sctp.chunktype = SCTP_COOKIE_ECHO;
+        break;
+      default:
+        assert(0);
+    }
     return 0;
   } else if (USI->prot_scan) {
     if (hss->next_portidx >= USI->ports->prot_count)
@@ -1922,6 +2010,13 @@ static int get_next_target_probe(UltraScanInfo *USI, HostScanStats *hss,
         return 0;
       }
     }
+    if (USI->ptech.rawsctpscan && hss->next_sctpportpingidx < USI->ports->sctp_ping_count) {
+      pspec->type = PS_SCTP;
+      pspec->proto = IPPROTO_SCTP;
+      pspec->pd.sctp.dport = USI->ports->sctp_ping_ports[hss->next_sctpportpingidx++];
+      pspec->pd.sctp.chunktype = SCTP_INIT;
+      return 0;
+    }
     if (USI->ptech.rawicmpscan) {
       pspec->type = PS_ICMP;
       pspec->proto = IPPROTO_ICMP;
@@ -1971,6 +2066,10 @@ int HostScanStats::freshPortsLeft() {
     if (next_portidx >= USI->ports->udp_count)
       return 0;
     return USI->ports->udp_count - next_portidx;
+  } else if (USI->sctp_scan) {
+    if (next_portidx >= USI->ports->sctp_count)
+      return 0;
+    return USI->ports->sctp_count - next_portidx;
   } else if (USI->prot_scan) {
     if (next_portidx >= USI->ports->prot_count)
       return 0;
@@ -1990,6 +2089,8 @@ int HostScanStats::freshPortsLeft() {
     }
     if (USI->ptech.rawudpscan && next_udpportpingidx < USI->ports->udp_ping_count)
       num_probes += USI->ports->udp_ping_count - next_udpportpingidx;
+    if (USI->ptech.rawsctpscan && next_sctpportpingidx < USI->ports->sctp_ping_count)
+      num_probes += USI->ports->sctp_ping_count - next_sctpportpingidx;
     if (USI->ptech.rawicmpscan) {
       if ((o.pingtype & PINGTYPE_ICMP_PING) && !sent_icmp_ping)
         num_probes++;
@@ -2337,16 +2438,16 @@ void HostScanStats::getTiming(struct ultra_timing_vals *tmng) {
 /* Define a score for a ping probe, for the purposes of deciding whether one
    probe should be preferred to another. The order, from most preferred to least
    preferred, is
-      Raw TCP (not filtered, not SYN to an open port)
+      Raw TCP/SCTP (not filtered, not SYN/INIT to an open port)
       ICMP information queries (echo request, timestamp request, netmask req)
       ARP
-      Raw TCP (SYN to an open port)
-      UDP, IP protocol, or other ICMP (including filtered TCP)
+      Raw TCP/SCTP (SYN/INIT to an open port)
+      UDP, IP protocol, or other ICMP (including filtered TCP/SCTP)
       TCP connect
       Anything else
-   Raw TCP SYN to an open port is given a low preference because of the risk of
-   SYN flooding (this is the only case where the port state is considered). The
-   probe passed to this function is assumed to have received a positive
+   Raw TCP SYN / SCTP INIT to an open port is given a low preference because of the
+   risk of SYN flooding (this is the only case where the port state is considered).
+   The probe passed to this function is assumed to have received a positive
    response, that is, it should not have set a port state just by timing out. */
 static unsigned int pingprobe_score(const probespec *pspec, int state) {
   unsigned int score;
@@ -2360,6 +2461,14 @@ static unsigned int pingprobe_score(const probespec *pspec, int state) {
       else
         score = 6;
       break;
+    case PS_SCTP:
+      if (state == PORT_FILTERED) /* Received an ICMP error. */
+        score = 2;
+      else if (state == PORT_OPEN || state == PORT_UNKNOWN)
+        score = 3;
+      else
+        score = 6;
+      break;
     case PS_ICMP:
       if(pspec->pd.icmp.type==ICMP_ECHO || pspec->pd.icmp.type==ICMP_MASK || pspec->pd.icmp.type==ICMP_TSTAMP)
         score = 5;
@@ -2418,6 +2527,9 @@ static bool ultrascan_port_pspec_update(UltraScanInfo *USI,
   } else if (pspec->type == PS_UDP) {
     proto = IPPROTO_UDP;
     portno = pspec->pd.udp.dport;
+  } else if (pspec->type == PS_SCTP) {
+    proto = IPPROTO_SCTP;
+    portno = pspec->pd.sctp.dport;
   } else assert(0);
   
   /* First figure out the current state */
@@ -2492,7 +2604,9 @@ double HostScanStats::cc_scale() {
   /* Boost the scan delay for this host, usually because too many packet
      drops were detected. */
 void HostScanStats::boostScanDelay() {
-  unsigned int maxAllowed = (USI->tcp_scan)? o.maxTCPScanDelay() : o.maxUDPScanDelay();
+  unsigned int maxAllowed = USI->tcp_scan ? o.maxTCPScanDelay() :
+			    USI->udp_scan ? o.maxUDPScanDelay() :
+					    o.maxSCTPScanDelay();
   if (sdn.delayms == 0)
     sdn.delayms = (USI->udp_scan)? 50 : 5; // In many cases, a pcap wait takes a minimum of 80ms, so this matters little :(
   else sdn.delayms = MIN(sdn.delayms * 2, MAX(sdn.delayms, 1000));
@@ -2640,7 +2754,7 @@ static void ultrascan_host_probe_update(UltraScanInfo *USI, HostScanStats *hss,
   if (rcvdtime != NULL && adjust_ping
       && pingprobe_is_better(probe->pspec(), PORT_UNKNOWN, &hss->target->pingprobe, hss->target->pingprobe_state)) {
     if (o.debugging > 1) {
-      char buf[32];
+      char buf[64];
       probespec2ascii(probe->pspec(), buf, sizeof(buf));
       log_write(LOG_PLAIN, "Changing ping technique for %s to %s\n", hss->target->targetipstr(), buf);
     }
@@ -2727,7 +2841,7 @@ static void ultrascan_port_probe_update(UltraScanInfo *USI, HostScanStats *hss,
   if (rcvdtime != NULL && adjust_ping
       && pingprobe_is_better(probe->pspec(), newstate, &hss->target->pingprobe, hss->target->pingprobe_state)) {
     if (o.debugging > 1) {
-      char buf[32];
+      char buf[64];
       probespec2ascii(probe->pspec(), buf, sizeof(buf));
       log_write(LOG_PLAIN, "Changing ping technique for %s to %s\n", hss->target->targetipstr(), buf);
     }
@@ -2922,6 +3036,9 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
   struct eth_nfo *ethptr = NULL;
   u8 *tcpops = NULL;
   u16 tcpopslen = 0;
+  u32 vtag = 0;
+  char *chunk = NULL;
+  int chunklen = 0;
 
   if (USI->ethsd) {
     memcpy(eth.srcmac, hss->target->SrcMACAddress(), 6);
@@ -2984,6 +3101,45 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
       send_ip_packet(USI->rawsd, ethptr, packet, packetlen);
       free(packet);
     }
+  } else if (pspec->type == PS_SCTP) {
+    switch (pspec->pd.sctp.chunktype) {
+      case SCTP_INIT:
+        chunklen = sizeof(struct sctp_chunkhdr_init);
+        chunk = (char*)safe_malloc(chunklen);
+        sctp_pack_chunkhdr_init(chunk, SCTP_INIT, 0, chunklen,
+                                get_random_u32()/*itag*/,
+                                32768, 10, 2048,
+                                get_random_u32()/*itsn*/);
+        vtag = 0;
+        break;
+      case SCTP_COOKIE_ECHO:
+        chunklen = sizeof(struct sctp_chunkhdr_cookie_echo) + 4;
+        chunk = (char*)safe_malloc(chunklen);
+        *((u32*)((char*)chunk + sizeof(struct sctp_chunkhdr_cookie_echo))) =
+            get_random_u32();
+        sctp_pack_chunkhdr_cookie_echo(chunk, SCTP_COOKIE_ECHO, 0, chunklen);
+        vtag = get_random_u32();
+        break;
+      default:
+        assert(0);
+    }
+    for(decoy = 0; decoy < o.numdecoys; decoy++) {
+      packet = build_sctp_raw(&o.decoys[decoy], hss->target->v4hostip(),
+                              o.ttl, ipid, IP_TOS_DEFAULT, false,
+                              o.ipoptions, o.ipoptionslen,
+                              sport, pspec->pd.sctp.dport,
+                              vtag, chunk, chunklen,
+                              o.extra_payload, o.extra_payload_length,
+                              &packetlen);
+      if (decoy == o.decoyturn) {
+        probe->setIP(packet, packetlen, pspec);
+        probe->sent = USI->now;
+      }
+      hss->probeSent(packetlen);
+      send_ip_packet(USI->rawsd, ethptr, packet, packetlen);
+      free(packet);
+    }
+    free(chunk);
   } else if (pspec->type == PS_PROTO) {
     for(decoy = 0; decoy < o.numdecoys; decoy++) {
       switch(pspec->proto) {
@@ -3022,6 +3178,24 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
 			       o.extra_payload, o.extra_payload_length, 
 			       &packetlen);
 
+	break;
+      case IPPROTO_SCTP:
+	{
+	  struct sctp_chunkhdr_init chunk;
+	  sctp_pack_chunkhdr_init(&chunk, SCTP_INIT, 0,
+				  sizeof(struct sctp_chunkhdr_init),
+				  get_random_u32()/*itag*/,
+				  32768, 10, 2048,
+				  get_random_u32()/*itsn*/);
+	  packet = build_sctp_raw(&o.decoys[decoy], hss->target->v4hostip(),
+				  o.ttl, ipid, IP_TOS_DEFAULT, false,
+				  o.ipoptions, o.ipoptionslen,
+				  sport, o.magic_port,
+				  0UL, (char*)&chunk,
+				  sizeof(struct sctp_chunkhdr_init),
+				  o.extra_payload, o.extra_payload_length,
+				  &packetlen);
+	}
 	break;
       default:
 	packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
@@ -3087,7 +3261,8 @@ static void sendNextScanProbe(UltraScanInfo *USI, HostScanStats *hss) {
   else if (pspec.type == PS_CONNECTTCP)
     sendConnectScanProbe(USI, hss, pspec.pd.tcp.dport, 0, 0);
   else if (pspec.type == PS_TCP || pspec.type == PS_UDP
-    || pspec.type == PS_PROTO || pspec.type == PS_ICMP)
+    || pspec.type == PS_SCTP || pspec.type == PS_PROTO
+    || pspec.type == PS_ICMP)
     sendIPScanProbe(USI, hss, &pspec, 0, 0);
   else
     assert(0);
@@ -3164,7 +3339,7 @@ static void doAnyRetryStackRetransmits(UltraScanInfo *USI) {
    available */
 static void sendPingProbe(UltraScanInfo *USI, HostScanStats *hss) {
   if (o.debugging > 1) {
-    char tmpbuf[32];
+    char tmpbuf[64];
     log_write(LOG_PLAIN, "Ultrascan PING SENT to %s [%s]\n", hss->target->targetipstr(), 
 	      probespec2ascii(&hss->target->pingprobe, tmpbuf, sizeof(tmpbuf)));
   }
@@ -3172,7 +3347,8 @@ static void sendPingProbe(UltraScanInfo *USI, HostScanStats *hss) {
     sendConnectScanProbe(USI, hss, hss->target->pingprobe.pd.tcp.dport, 0, 
 			 hss->nextPingSeq(true));
   } else if (hss->target->pingprobe.type == PS_TCP || hss->target->pingprobe.type == PS_UDP
-    || hss->target->pingprobe.type == PS_PROTO || hss->target->pingprobe.type == PS_ICMP) {
+    || hss->target->pingprobe.type == PS_SCTP || hss->target->pingprobe.type == PS_PROTO
+    || hss->target->pingprobe.type == PS_ICMP) {
     sendIPScanProbe(USI, hss, &hss->target->pingprobe, 0, hss->nextPingSeq(true));
   } else if (hss->target->pingprobe.type == PS_ARP) {
     sendArpScanProbe(USI, hss, 0, hss->nextPingSeq(true));
@@ -3191,7 +3367,7 @@ static void sendGlobalPingProbe(UltraScanInfo *USI) {
   assert(hss != NULL);
 
   if (o.debugging > 1) {
-    char tmpbuf[32];
+    char tmpbuf[64];
     log_write(LOG_PLAIN, "Ultrascan GLOBAL PING SENT to %s [%s]\n", hss->target->targetipstr(), 
 	      probespec2ascii(&hss->target->pingprobe, tmpbuf, sizeof(tmpbuf)));
   }
@@ -3248,6 +3424,9 @@ static void retransmitProbe(UltraScanInfo *USI, HostScanStats *hss,
     } else if (probe->protocol() == IPPROTO_UDP) {
       newProbe = sendIPScanProbe(USI, hss, probe->pspec(), probe->tryno + 1,
 				 0);
+    } else if (probe->protocol() == IPPROTO_SCTP) {
+      newProbe = sendIPScanProbe(USI, hss, probe->pspec(), probe->tryno + 1,
+				 0);
     } else if (probe->protocol() == IPPROTO_ICMP) {
       newProbe = sendIPScanProbe(USI, hss, probe->pspec(), probe->tryno + 1,
 				 0);
@@ -3910,6 +4089,73 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
 	  }
 	}
 
+        goodone = true;
+      }
+    } else if (ip->ip_p == IPPROTO_SCTP && !USI->prot_scan) {
+      struct sctp_hdr *sctp = (struct sctp_hdr *) ((u8 *) ip + ip->ip_hl * 4);
+      struct sctp_chunkhdr *chunk = (struct sctp_chunkhdr *) ((u8 *) sctp + 12);
+      /* Now ensure this host is even in the incomplete list */
+      memset(&sin, 0, sizeof(sin));
+      sin.sin_addr.s_addr = ip->ip_src.s_addr;
+      sin.sin_family = AF_INET;
+      hss = USI->findHost((struct sockaddr_storage *) &sin);
+      if (!hss) continue; // Not from a host that interests us
+      setTargetMACIfAvailable(hss->target, &linkhdr, ip, 0);
+      probeI = hss->probes_outstanding.end();
+      listsz = hss->num_probes_outstanding();
+
+      goodone = false;
+      
+      /* Find the probe that provoked this response. */
+      for (probenum = 0; probenum < listsz && !goodone; probenum++) {
+	probeI--;
+	probe = *probeI;
+
+	if (o.af() != AF_INET || probe->protocol() != IPPROTO_SCTP)
+	  continue;
+
+	/* Ensure the connection info matches. */
+	if (probe->dport() != ntohs(sctp->sh_sport)
+            || probe->sport() != ntohs(sctp->sh_dport)
+            || hss->target->v4sourceip()->s_addr != ip->ip_dst.s_addr)
+	  continue;
+
+	/* Sometimes we get false results when scanning localhost with
+	   -p- because we scan localhost with src port = dst port and
+	   see our outgoing packet and think it is a response. */
+	if (probe->dport() == probe->sport() && 
+	    ip->ip_src.s_addr == ip->ip_dst.s_addr && 
+	    probe->ipid() == ntohs(ip->ip_id))
+	  continue; /* We saw the packet we ourselves sent */
+
+	if (!probe->isPing()) {
+	  /* Now that response has been matched to a probe, I interpret it */
+	  if (USI->scantype == SCTP_INIT_SCAN) {
+	    if (chunk->sch_type == SCTP_INIT_ACK) {
+	      newstate = PORT_OPEN;
+	      current_reason = ER_INITACK;
+	    } else if (chunk->sch_type == SCTP_ABORT) {
+	      newstate = PORT_CLOSED;
+	      current_reason = ER_ABORT;
+	    } else {
+	      if (o.debugging)
+	        error("Received response with unexpected SCTP chunks: %02x",
+	            chunk->sch_type);
+	      break;
+	    }
+	  } else if (USI->scantype == SCTP_COOKIE_ECHO_SCAN) {
+	    if (chunk->sch_type == SCTP_ABORT) {
+	      newstate = PORT_CLOSED;
+	      current_reason = ER_ABORT;
+	    } else {
+	      if (o.debugging)
+	        error("Received response with unexpected SCTP chunks: %02x",
+	            chunk->sch_type);
+	      break;
+	    }
+	  }
+	}
+
         goodone = true;
       }
     } else if (ip->ip_p == IPPROTO_ICMP) {
@@ -3922,8 +4168,10 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
       requiredbytes = /* IPlen*/ 4 * ip->ip_hl + 
                       /* ICMPLen */ 8 + 
                       /* IP2 Len */ 4 * ip2->ip_hl;
-      if (USI->tcp_scan || USI->udp_scan)
-	requiredbytes += 8; /* UDP hdr, or TCP hdr up to seq # */
+      if (USI->tcp_scan || USI->udp_scan || USI->sctp_scan) {
+	/* UDP hdr, or TCP hdr up to seq #, or SCTP hdr up to vtag */
+	requiredbytes += 8;
+      }
       /* prot scan has no headers coming back, so we don't reserve the 
 	 8 xtra bytes */
       if (bytes < requiredbytes) {
@@ -3939,6 +4187,9 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
       if (USI->udp_scan && ip2->ip_p != IPPROTO_UDP)
 	continue;
 
+      if (USI->sctp_scan && ip2->ip_p != IPPROTO_SCTP)
+	continue;
+
       /* ensure this packet relates to a packet to the host
 	 we are scanning ... */
       memset(&sin, 0, sizeof(sin));
@@ -3969,9 +4220,14 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
 	      ntohs(tcp->th_dport) != probe->dport() || 
 	      ntohl(tcp->th_seq) != probe->tcpseq())
 	    continue;
+	} else if (ip2->ip_p == IPPROTO_SCTP && !USI->prot_scan) {
+	  struct sctp_hdr *sctp = (struct sctp_hdr *) ((u8 *) ip2 + ip2->ip_hl * 4);
+	  if (ntohs(sctp->sh_sport) != probe->sport() || 
+	      ntohs(sctp->sh_dport) != probe->dport())
+	    continue;
 	} else if (ip2->ip_p == IPPROTO_UDP && !USI->prot_scan) {
 	  /* TODO: IPID verification */
-	  struct udp_hdr *udp = (struct udp_hdr *) ((u8 *) ip2 + ip->ip_hl * 4);
+	  struct udp_hdr *udp = (struct udp_hdr *) ((u8 *) ip2 + ip2->ip_hl * 4);
 	  if (ntohs(udp->uh_sport) != probe->sport() || 
 	      ntohs(udp->uh_dport) != probe->dport())
 	    continue;
@@ -4382,9 +4638,55 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
           /* Did we fail to find a probe? */
           if (probenum >= listsz)
             continue;
+        } else if (ip2->ip_p == IPPROTO_SCTP && USI->ptech.rawsctpscan) {
+          /* The response was based our SCTP probe */
+          if ((unsigned) ip2->ip_hl * 4 + 8 > bytes)
+            continue;
+          struct sctp_hdr *sctp = (struct sctp_hdr *) ((u8 *) ip2 + ip2->ip_hl * 4);
+          /* Search for this host on the incomplete list */
+          memset(&sin, 0, sizeof(sin));
+          sin.sin_addr.s_addr = ip2->ip_dst.s_addr;
+          sin.sin_family = AF_INET;
+          hss = USI->findHost((struct sockaddr_storage *) &sin);
+          if (!hss) continue; // Not referring to a host that interests us
+          setTargetMACIfAvailable(hss->target, &linkhdr, ip, 0);
+          probeI = hss->probes_outstanding.end();
+          listsz = hss->num_probes_outstanding();
+
+          for(probenum = 0; probenum < listsz; probenum++) {
+            probeI--;
+            probe = *probeI;
+
+            if (o.af() != AF_INET || probe->protocol() != IPPROTO_SCTP)
+              continue;
+
+            if (!allow_ipid_match(probe->ipid(), ntohs(ip2->ip_id)))
+              continue;
+
+            /* Ensure the connection info matches. */
+            if (probe->dport() != ntohs(sctp->sh_dport) ||
+                probe->sport() != ntohs(sctp->sh_sport) ||
+                hss->target->v4sourceip()->s_addr != ip->ip_dst.s_addr)
+              continue;
+            
+            /* Sometimes we get false results when scanning localhost with
+               -p- because we scan localhost with src port = dst port and
+               see our outgoing packet and think it is a response. */
+            if (probe->dport() == probe->sport() && 
+                ip->ip_src.s_addr == ip->ip_dst.s_addr && 
+                probe->ipid() == ntohs(ip->ip_id))
+              continue; /* We saw the packet we ourselves sent */
+
+            /* If we made it this far, we found it. We don't yet know if it's
+               going to change a host state (goodone) or not. */
+            break;
+          }
+          /* Did we fail to find a probe? */
+          if (probenum >= listsz)
+            continue;
         } else if (!USI->ptech.rawprotoscan) {
           if (o.debugging)
-            error("Got ICMP response to a packet which was not TCP, UDP, or ICMP");
+            error("Got ICMP response to a packet which was not TCP, UDP, SCTP or ICMP");
           continue;
         }
         
@@ -4575,6 +4877,52 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
         if (o.debugging)
           log_write(LOG_STDOUT, "In response to UDP-ping, we got UDP packet back from %s port %hu (trynum = %d)\n", inet_ntoa(ip->ip_src), htons(udp->uh_sport), trynum);
       }
+    } else if (ip->ip_p == IPPROTO_SCTP && USI->ptech.rawsctpscan) {
+      struct sctp_hdr *sctp = (struct sctp_hdr *) (((char *) ip) + 4 * ip->ip_hl);
+      struct sctp_chunkhdr *chunk = (struct sctp_chunkhdr *) ((u8 *) sctp + 12);
+      /* Search for this host on the incomplete list */
+      memset(&sin, 0, sizeof(sin));
+      sin.sin_addr.s_addr = ip->ip_src.s_addr;
+      sin.sin_family = AF_INET;
+      hss = USI->findHost((struct sockaddr_storage *) &sin);
+      if (!hss) continue; // Not from a host that interests us
+      probeI = hss->probes_outstanding.end();
+      listsz = hss->num_probes_outstanding();
+      goodone = false;
+
+      for(probenum = 0; probenum < listsz && !goodone; probenum++) {
+	probeI--;
+	probe = *probeI;
+
+	if (o.af() != AF_INET || probe->protocol() != IPPROTO_SCTP)
+	  continue;
+
+	/* Ensure the connection info matches. */
+	if (probe->dport() != ntohs(sctp->sh_sport) ||
+	    probe->sport() != ntohs(sctp->sh_dport) ||
+	    hss->target->v4sourceip()->s_addr != ip->ip_dst.s_addr)
+	  continue;
+
+	/* Sometimes we get false results when scanning localhost with
+	   -p- because we scan localhost with src port = dst port and
+	   see our outgoing packet and think it is a response. */
+	if (probe->dport() == probe->sport() && 
+	    ip->ip_src.s_addr == ip->ip_dst.s_addr && 
+	    probe->ipid() == ntohs(ip->ip_id))
+	  continue; /* We saw the packet we ourselves sent */
+
+        goodone = true;
+        newstate = HOST_UP;
+        if (chunk->sch_type == SCTP_INIT_ACK) {
+          current_reason = ER_INITACK;
+        } else if (chunk->sch_type == SCTP_ABORT) {
+          current_reason = ER_ABORT;
+        } else {
+          current_reason = ER_UNKNOWN;
+          if (o.debugging)
+            log_write(LOG_STDOUT, "Received scan response with unexpected SCTP chunks: n/a");
+        }
+      }
     } else if (!USI->ptech.rawprotoscan) {
       if (o.debugging > 2)
         error("Received packet with protocol %d; ignoring.", ip->ip_p);
@@ -4701,18 +5049,18 @@ static void begin_sniffer(UltraScanInfo *USI, vector<Target *> &Targets) {
       pcap_filter="dst host ";
       pcap_filter+=inet_ntoa(Targets[0]->v4source());
     }
-  } else if(USI->tcp_scan || USI->udp_scan || USI->ping_scan) {
-    /* Handle udp and tcp with one filter. */
+  } else if(USI->tcp_scan || USI->udp_scan || USI->sctp_scan || USI->ping_scan) {
+    /* Handle udp, tcp and sctp with one filter. */
     if (doIndividual){
       pcap_filter="dst host ";
       pcap_filter+=inet_ntoa(Targets[0]->v4source());
-      pcap_filter+=" and (icmp or ((tcp or udp) and (";
+      pcap_filter+=" and (icmp or ((tcp or udp or sctp) and (";
       pcap_filter+=dst_hosts;
       pcap_filter+=")))";
     }else{
       pcap_filter="dst host ";
       pcap_filter+=inet_ntoa(Targets[0]->v4source());
-      pcap_filter+=" and (icmp or tcp or udp)";
+      pcap_filter+=" and (icmp or tcp or udp or sctp)";
     }
   }else assert(0);
   if (o.debugging > 2) log_write(LOG_PLAIN, "Pcap filter: %s\n", pcap_filter.c_str());
@@ -5243,11 +5591,13 @@ void pos_scan(Target *target, u16 *portarray, int numports, stype scantype) {
     /* Make sure we have ports left to scan */
     while(1) {
       if (doingOpenFiltered) {
-	rsi.rpc_current_port = target->ports.nextPort(rsi.rpc_current_port, TCPANDUDP, 
+	rsi.rpc_current_port = target->ports.nextPort(rsi.rpc_current_port,
+						      TCPANDUDPANDSCTP,
 						      PORT_OPENFILTERED);
       } else {
 	rsi.rpc_current_port = target->ports.nextPort(rsi.rpc_current_port,
-						      TCPANDUDP, PORT_OPEN);
+						      TCPANDUDPANDSCTP,
+						      PORT_OPEN);
 	if (!rsi.rpc_current_port && !o.servicescan) {
 	  doingOpenFiltered = true;
 	  continue;
diff --git a/scan_engine.h b/scan_engine.h
index 60d93205e..cf672f39a 100644
--- a/scan_engine.h
+++ b/scan_engine.h
@@ -107,6 +107,11 @@ struct probespec_udpdata {
   u16 dport;
 };
 
+struct probespec_sctpdata {
+  u16 dport;
+  u8 chunktype;
+};
+
 struct probespec_icmpdata {
   u8 type;
   u8 code;
@@ -119,6 +124,7 @@ struct probespec_icmpdata {
 #define PS_ICMP 4
 #define PS_ARP 5
 #define PS_CONNECTTCP 6
+#define PS_SCTP 7
 
 /* The size of this structure is critical, since there can be tens of
    thousands of them stored together ... */
@@ -130,6 +136,7 @@ typedef struct probespec {
   union {
     struct probespec_tcpdata tcp; /* If type is PS_TCP or PS_CONNECTTCP. */
     struct probespec_udpdata udp; /* PS_UDP */
+    struct probespec_sctpdata sctp; /* PS_SCTP */
     struct probespec_icmpdata icmp; /* PS_ICMP */
     /* Nothing needed for PS_ARP, since src mac and target IP are
        avail from target structure anyway */
diff --git a/service_scan.cc b/service_scan.cc
index 70c4d6a19..25244806e 100644
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -98,6 +98,7 @@
 #include "nsock.h"
 #include "Target.h"
 #include "utils.h"
+#include "protocols.h"
 
 #include "nmap_tty.h"
 
@@ -1244,6 +1245,9 @@ int AllProbes::isExcluded(unsigned short port, int proto) {
   } else if (proto == IPPROTO_UDP) {
     p = excludedports.udp_ports;
     count = excludedports.udp_count;
+  } else if (proto == IPPROTO_SCTP) {
+    p = excludedports.sctp_ports;
+    count = excludedports.sctp_count;
   } else {
     fatal("Bad proto number (%d) specified in %s", proto, __func__);
   }
@@ -1630,7 +1634,7 @@ ServiceGroup::ServiceGroup(vector<Target *> &Targets, AllProbes *AP) {
       num_hosts_timedout++;
       continue;
     }
-    while((nxtport = Targets[targetno]->ports.nextPort(nxtport, TCPANDUDP, PORT_OPEN))) {
+    while((nxtport = Targets[targetno]->ports.nextPort(nxtport, TCPANDUDPANDSCTP, PORT_OPEN))) {
       svc = new ServiceNFO(AP);
       svc->target = Targets[targetno];
       svc->portno = nxtport->portno;
@@ -1648,7 +1652,7 @@ ServiceGroup::ServiceGroup(vector<Target *> &Targets, AllProbes *AP) {
     if (Targets[targetno]->timedOut(&now)) {
       continue;
     }
-    while((nxtport = Targets[targetno]->ports.nextPort(nxtport, TCPANDUDP, PORT_OPENFILTERED))) {
+    while((nxtport = Targets[targetno]->ports.nextPort(nxtport, TCPANDUDPANDSCTP, PORT_OPENFILTERED))) {
       svc = new ServiceNFO(AP);
       svc->target = Targets[targetno];
       svc->portno = nxtport->portno;
@@ -2350,7 +2354,8 @@ static void remove_excluded_ports(AllProbes *AP, ServiceGroup *SG) {
     svc = *i;
     if (AP->isExcluded(svc->portno, svc->proto)) {
 
-      if (o.debugging) log_write(LOG_PLAIN, "EXCLUDING %d/%s\n", svc->portno, svc->proto==IPPROTO_TCP ? "tcp" : "udp");
+      if (o.debugging) log_write(LOG_PLAIN, "EXCLUDING %d/%s\n", svc->portno,
+          IPPROTO2STR(svc->proto));
 
       svc->port->setServiceProbeResults(PROBESTATE_EXCLUDED, NULL, 
 					SERVICE_TUNNEL_NONE,
diff --git a/services.cc b/services.cc
index 1a44cdeb6..1f1450911 100644
--- a/services.cc
+++ b/services.cc
@@ -131,6 +131,7 @@ bool service_node_ratio_compare(const service_node& a, const service_node& b) {
 extern NmapOps o;
 static int numtcpports = 0;
 static int numudpports = 0;
+static int numsctpports = 0;
 static std::map<port_spec, service_node> service_table;
 static std::list<service_node> services_by_ratio;
 static int services_initialized = 0;
@@ -241,6 +242,8 @@ static int nmap_services_init() {
       numtcpports++;
     } else if (strncasecmp(proto, "udp", 3) == 0) {
       numudpports++;
+    } else if (strncasecmp(proto, "sctp", 4) == 0) {
+      numsctpports++;
     } else if (strncasecmp(proto, "ddp", 3) == 0) {
       /* ddp is some apple thing...we don't "do" that */
     } else if (strncasecmp(proto, "divert", 6) == 0) {
@@ -300,6 +303,10 @@ int addportsfromservmask(char *mask, u8 *porttbl, int range_type) {
         porttbl[ntohs(current.s_port)] |= SCAN_UDP_PORT;
         t++;
       }
+      if ((range_type & SCAN_SCTP_PORT) && strcmp(current.s_proto, "sctp") == 0) {
+        porttbl[ntohs(current.s_port)] |= SCAN_SCTP_PORT;
+        t++;
+      }
     }
   }
 
@@ -352,6 +359,10 @@ static bool is_port_member(const struct scan_lists *ptsdata, const struct servic
     for (i=0; i<ptsdata->udp_count; i++)
       if (ntohs(serv->s_port) == ptsdata->udp_ports[i])
         return true;
+  } else if (strcmp(serv->s_proto, "sctp") == 0) {
+    for (i=0; i<ptsdata->sctp_count; i++)
+      if (ntohs(serv->s_port) == ptsdata->sctp_ports[i])
+        return true;
   }
 
   return false;
@@ -368,10 +379,10 @@ static bool is_port_member(const struct scan_lists *ptsdata, const struct servic
 // and return the N highest ratio ports (where N==level).
 //
 // This function doesn't support IP protocol scan so only call this
-// function if o.TCPScan() || o.UDPScan()
+// function if o.TCPScan() || o.UDPScan() || o.SCTPScan()
 
 void gettoppts(double level, char *portlist, struct scan_lists * ports) {
-  int ti=0, ui=0;
+  int ti=0, ui=0, si=0;
   struct scan_lists ptsdata = { 0 };
   bool ptsdata_initialized = false;
   const struct service_node *current;
@@ -420,6 +431,8 @@ void gettoppts(double level, char *portlist, struct scan_lists * ports) {
           ports->tcp_count++;
         else if (o.UDPScan() && strcmp(current->s_proto, "udp") == 0)
           ports->udp_count++;
+        else if (o.SCTPScan() && strcmp(current->s_proto, "sctp") == 0)
+          ports->sctp_count++;
       } else {
         break;
       }
@@ -431,6 +444,9 @@ void gettoppts(double level, char *portlist, struct scan_lists * ports) {
     if (ports->udp_count)
       ports->udp_ports = (unsigned short *)safe_zalloc(ports->udp_count * sizeof(unsigned short));
 
+    if (ports->sctp_count)
+      ports->sctp_ports = (unsigned short *)safe_zalloc(ports->sctp_count * sizeof(unsigned short));
+
     ports->prots = NULL;
 
     for (i = services_by_ratio.begin(); i != services_by_ratio.end(); i++) {
@@ -442,6 +458,8 @@ void gettoppts(double level, char *portlist, struct scan_lists * ports) {
           ports->tcp_ports[ti++] = ntohs(current->s_port);
         else if (o.UDPScan() && strcmp(current->s_proto, "udp") == 0)
           ports->udp_ports[ui++] = ntohs(current->s_port);
+        else if (o.SCTPScan() && strcmp(current->s_proto, "sctp") == 0)
+          ports->sctp_ports[si++] = ntohs(current->s_port);
       } else {
         break;
       }
@@ -458,6 +476,10 @@ void gettoppts(double level, char *portlist, struct scan_lists * ports) {
       ports->udp_count = MIN((int) level, numudpports);
       ports->udp_ports = (unsigned short *)safe_zalloc(ports->udp_count * sizeof(unsigned short));
     }
+    if (o.SCTPScan()) {
+      ports->sctp_count = MIN((int) level, numsctpports);
+      ports->sctp_ports = (unsigned short *)safe_zalloc(ports->sctp_count * sizeof(unsigned short));
+    }
 
     ports->prots = NULL;
 
@@ -469,10 +491,13 @@ void gettoppts(double level, char *portlist, struct scan_lists * ports) {
         ports->tcp_ports[ti++] = ntohs(current->s_port);
       else if (o.UDPScan() && strcmp(current->s_proto, "udp") == 0 && ui < ports->udp_count)
         ports->udp_ports[ui++] = ntohs(current->s_port);
+      else if (o.SCTPScan() && strcmp(current->s_proto, "sctp") == 0 && si < ports->sctp_count)
+        ports->sctp_ports[si++] = ntohs(current->s_port);
     }
 
     if (ti < ports->tcp_count) ports->tcp_count = ti;
     if (ui < ports->udp_count) ports->udp_count = ui;
+    if (si < ports->sctp_count) ports->sctp_count = si;
   } else
     fatal("Argument to gettoppts (%g) should be a positive ratio below 1 or an integer of 1 or higher", level);
 
@@ -487,9 +512,12 @@ void gettoppts(double level, char *portlist, struct scan_lists * ports) {
   if (ports->udp_count > 1)
     qsort(ports->udp_ports, ports->udp_count, sizeof(unsigned short), &port_compare);
 
+  if (ports->sctp_count > 1)
+    qsort(ports->sctp_ports, ports->sctp_count, sizeof(unsigned short), &port_compare);
+
   if (o.debugging && level < 1)
-    log_write(LOG_STDOUT, "PORTS: Using ports open on %g%% or more average hosts (TCP:%d, UDP:%d)\n", level*100, ports->tcp_count, ports->udp_count);
+    log_write(LOG_STDOUT, "PORTS: Using ports open on %g%% or more average hosts (TCP:%d, UDP:%d, SCTP:%d)\n", level*100, ports->tcp_count, ports->udp_count, ports->sctp_count);
   else if (o.debugging && level >= 1)
-    log_write(LOG_STDOUT, "PORTS: Using top %d ports found open (TCP:%d, UDP:%d)\n", (int) level, ports->tcp_count, ports->udp_count);
+    log_write(LOG_STDOUT, "PORTS: Using top %d ports found open (TCP:%d, UDP:%d, SCTP:%d)\n", (int) level, ports->tcp_count, ports->udp_count, ports->sctp_count);
 }
 
diff --git a/services.h b/services.h
index 50dcf939e..62366bb7a 100644
--- a/services.h
+++ b/services.h
@@ -111,7 +111,8 @@
  */
 #define SCAN_TCP_PORT	(1 << 0)
 #define SCAN_UDP_PORT	(1 << 1)
-#define SCAN_PROTOCOLS	(1 << 2)
+#define SCAN_SCTP_PORT	(1 << 2)
+#define SCAN_PROTOCOLS	(1 << 3)
 
 int addportsfromservmask(char *mask, u8 *porttbl, int range_type);
 struct servent *nmap_getservbyport(int port, const char *proto);
diff --git a/targets.cc b/targets.cc
index d3f7d7b2a..83b13e382 100644
--- a/targets.cc
+++ b/targets.cc
@@ -483,7 +483,7 @@ do {
 	 3) We are doing a raw-mode portscan or osscan OR
 	 4) We are on windows and doing ICMP ping */
       if (o.isr00t && o.af() == AF_INET && 
-	  ((pingtype & (PINGTYPE_TCP|PINGTYPE_UDP|PINGTYPE_PROTO|PINGTYPE_ARP)) || o.RawScan()
+	  ((pingtype & (PINGTYPE_TCP|PINGTYPE_UDP|PINGTYPE_SCTP_INIT|PINGTYPE_PROTO|PINGTYPE_ARP)) || o.RawScan()
 #ifdef WIN32
 	   || (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS))
 #endif // WIN32
diff --git a/targets.h b/targets.h
index 5639645bd..8b1a5e15e 100644
--- a/targets.h
+++ b/targets.h
@@ -150,6 +150,7 @@ struct pingtech {
     connecttcpscan: 1,
     rawtcpscan: 1,
     rawudpscan: 1,
+    rawsctpscan: 1,
     rawprotoscan: 1;
 };
 
diff --git a/tcpip.cc b/tcpip.cc
index b24fcdac8..4cb567c9c 100644
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -184,6 +184,8 @@ const char *proto2ascii(u8 proto, bool uppercase) {
     return uppercase? "TCP" : "tcp"; break;
   case IPPROTO_UDP:
     return uppercase? "UDP" : "udp"; break;
+  case IPPROTO_SCTP:
+    return uppercase? "SCTP" : "sctp"; break;
   case IPPROTO_IP:
     return uppercase? "IP" : "ip"; break;
   default:
@@ -427,6 +429,7 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) {
   struct ip *ip = (struct ip *) packet;
   struct tcp_hdr *tcp = NULL;
   struct udp_hdr *udp = NULL;
+  struct sctp_hdr *sctp = NULL;
   char ipinfo[512];
   char srchost[INET6_ADDRSTRLEN], dsthost[INET6_ADDRSTRLEN];
   char *p;
@@ -549,6 +552,14 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) {
     Snprintf(protoinfo, sizeof(protoinfo), "UDP %s:%d > %s:%d %s",
 	     srchost, ntohs(udp->uh_sport), dsthost, ntohs(udp->uh_dport),
 	     ipinfo);
+  } else if (ip->ip_p == IPPROTO_SCTP && frag_off) {
+      Snprintf(protoinfo, sizeof(protoinfo), "SCTP %s:?? > %s:?? fragment %s (incomplete)", srchost, dsthost, ipinfo);
+  } else if (ip->ip_p == IPPROTO_SCTP) {
+    sctp =  (struct sctp_hdr *) (packet + sizeof(struct ip));
+
+    Snprintf(protoinfo, sizeof(protoinfo), "SCTP %s:%d > %s:%d %s",
+	     srchost, ntohs(sctp->sh_sport), dsthost, ntohs(sctp->sh_dport),
+	     ipinfo);
   } else if (ip->ip_p == IPPROTO_ICMP && frag_off) {
       Snprintf(protoinfo, sizeof(protoinfo), "ICMP %s > %s fragment %s (incomplete)", srchost, dsthost, ipinfo);
   } else if (ip->ip_p == IPPROTO_ICMP) {
@@ -577,6 +588,7 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) {
       if (pktlen + 8 < len) {
         tcp = (struct tcp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
         udp = (struct udp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
+        sctp = (struct sctp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
       }
       ip2dst = inet_ntoa(ip2->ip_dst);
       switch (ping->code) {
@@ -594,6 +606,8 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) {
 	  Snprintf(icmptype, sizeof icmptype, "port %u unreachable", ntohs(udp->uh_dport));
 	else if (ip2->ip_p == IPPROTO_TCP && tcp)
 	  Snprintf(icmptype, sizeof icmptype, "port %u unreachable", ntohs(tcp->th_dport));
+	else if (ip2->ip_p == IPPROTO_SCTP && sctp)
+	  Snprintf(icmptype, sizeof icmptype, "port %u unreachable", ntohs(sctp->sh_dport));
 	else
 	  strcpy(icmptype, "port unreachable");
 	break;
@@ -1761,6 +1775,69 @@ int send_udp_raw( int sd, struct eth_nfo *eth,
   return res;
 }
 
+/* Builds an SCTP packet (including an IP header) by packing the fields
+   with the given information.  It allocates a new buffer to store the
+   packet contents, and then returns that buffer.  The packet is not
+   actually sent by this function.  Caller must delete the buffer when
+   finished with the packet.  The packet length is returned in
+   packetlen, which must be a valid int pointer. */
+u8 *build_sctp_raw(const struct in_addr *source, const struct in_addr *victim,
+		  int ttl, u16 ipid, u8 tos, bool df,
+		  u8 *ipopt, int ipoptlen,
+		  u16 sport, u16 dport,
+		  u32 vtag, char *chunks, int chunkslen,
+		  char *data, u16 datalen, u32 *outpacketlen)
+{
+  int packetlen = sizeof(struct ip) + ipoptlen + sizeof(struct sctp_hdr) + chunkslen + datalen;
+  u8 *packet = (u8 *) safe_malloc(packetlen);
+  struct ip *ip = (struct ip *) packet;
+  struct sctp_hdr *sctp = (struct sctp_hdr *) ((u8*)ip + sizeof(struct ip) + ipoptlen);
+  static int myttl = 0;
+  
+  /* check that required fields are there and not too silly */
+  assert(victim);
+  assert(source);
+  assert(ipoptlen%4==0);
+  
+  /* Time to live */
+  if (ttl == -1) {
+    myttl = (get_random_uint() % 23) + 37;
+  } else {
+    myttl = ttl;
+  }
+  
+  sctp->sh_sport = htons(sport);
+  sctp->sh_dport = htons(dport);
+  sctp->sh_sum   = 0;
+  sctp->sh_vtag  = htonl(vtag);
+  
+  if (chunks)
+    memcpy((u8*)sctp + sizeof(struct sctp_hdr), chunks, chunkslen);
+  
+  if (data)
+    memcpy((u8*)sctp + sizeof(struct sctp_hdr) + chunkslen, data, datalen);
+  
+  /* RFC 2960 originally defined Adler32 checksums, which was later
+   * revised to CRC32C in RFC 3309 and RFC 4960 respectively.
+   * Nmap uses CRC32C by default, unless --adler32 is given. */
+  if (o.adler32)
+    sctp->sh_sum = htonl(nbase_adler32((unsigned char*)sctp,
+                   sizeof(struct sctp_hdr) + chunkslen + datalen));
+  else
+    sctp->sh_sum = htonl(nbase_crc32c((unsigned char*)sctp,
+                   sizeof(struct sctp_hdr) + chunkslen + datalen));
+
+  if (o.badsum)
+    --sctp->sh_sum;
+
+  fill_ip_raw(ip, packetlen, ipopt, ipoptlen,
+	tos, ipid, df?IP_DF:0, myttl, IPPROTO_SCTP,
+	source, victim);
+  
+  *outpacketlen = packetlen;
+  return packet;
+}
+
 /* Builds an IP packet (including an IP header) by packing the fields
    with the given information.  It allocates a new buffer to store the
    packet contents, and then returns that buffer.  The packet is not
diff --git a/tcpip.h b/tcpip.h
index 09afb8cde..5c11bd0e2 100644
--- a/tcpip.h
+++ b/tcpip.h
@@ -525,6 +525,20 @@ u8 *build_udp_raw(struct in_addr *source, const struct in_addr *victim,
  		  char *data, u16 datalen,
  		  u32 *packetlen);
 
+/* Builds an SCTP packet (including an IP header) by packing the fields
+   with the given information.  It allocates a new buffer to store the
+   packet contents, and then returns that buffer.  The packet is not
+   actually sent by this function.  Caller must delete the buffer when
+   finished with the packet.  The packet length is returned in
+   packetlen, which must be a valid int pointer. */
+u8 *build_sctp_raw(const struct in_addr *source, const struct in_addr *victim,
+		   int ttl, u16 ipid, u8 tos, bool df,
+		   u8* ipopt, int ipoptlen,
+		   u16 sport, u16 dport,
+		   u32 vtag, char *chunks, int chunkslen,
+		   char *data, u16 datalen,
+		   u32 *packetlen);
+
 /* Builds an ICMP packet (including an IP header) by packing the
    fields with the given information.  It allocates a new buffer to
    store the packet contents, and then returns that buffer.  The
diff --git a/traceroute.cc b/traceroute.cc
index 80f2d3e7c..76ffe798a 100644
--- a/traceroute.cc
+++ b/traceroute.cc
@@ -248,14 +248,16 @@ Traceroute::getTraceProbe (Target * t) {
 
     probe = t->pingprobe;
     /* If this is an IP protocol probe, fill in some fields for some common
-       protocols. We cheat and store them in the TCP-, UDP-, and ICMP-specific
-       fields. Traceroute::sendProbe checks for them there. */
+       protocols. We cheat and store them in the TCP-, UDP-, SCTP- and
+       ICMP-specific fields. Traceroute::sendProbe checks for them there. */
     if (probe.type == PS_PROTO) {
         if (probe.proto == IPPROTO_TCP) {
             probe.pd.tcp.flags = TH_ACK;
             probe.pd.tcp.dport = get_random_u16();
         } else if (probe.proto == IPPROTO_UDP) {
             probe.pd.udp.dport = get_random_u16();
+        } else if (probe.proto == IPPROTO_SCTP) {
+            probe.pd.sctp.dport = get_random_u16();
         } else if (probe.proto == IPPROTO_ICMP) {
             probe.pd.icmp.type = ICMP_ECHO;
         }
@@ -274,6 +276,7 @@ Traceroute::readTraceResponses () {
     struct icmp *icmp2 = NULL;
     struct tcp_hdr *tcp = NULL;
     struct udp_hdr *udp = NULL;
+    struct sctp_hdr *sctp = NULL;
     struct link_header linkhdr;
     unsigned int bytes;
     struct timeval rcvdtime;
@@ -311,6 +314,11 @@ Traceroute::readTraceResponses () {
                 if (ntohs(ip2->ip_len) - (ip2->ip_hl * 4) < 2)
                     break;
                 sport = ntohs (udp->uh_sport);
+            } else if (ip2->ip_p == IPPROTO_SCTP) {
+                sctp = (struct sctp_hdr *) ((u8 *) ip2 + ip2->ip_hl * 4);
+                if (ntohs(ip2->ip_len) - (ip2->ip_hl * 4) < 2)
+                    break;
+                sport = ntohs(sctp->sh_sport);
             } else if (ip2->ip_p == IPPROTO_ICMP) {
                 icmp2 = (struct icmp *) ((char *) ip2 + 4 * ip2->ip_hl);
                 if (ntohs(ip2->ip_len) - (ip2->ip_hl * 4) < 8)
@@ -475,6 +483,43 @@ Traceroute::readTraceResponses () {
                 tg->ttl = tg->start_ttl + 1;
         }
         break;
+    case IPPROTO_SCTP:
+        sctp = (struct sctp_hdr *) ((char *) ip + 4 * ip->ip_hl);
+
+        if (TraceGroups.find(ip->ip_src.s_addr) != TraceGroups.end())
+            tg = TraceGroups[ip->ip_src.s_addr];
+        else
+            break;
+
+        if (tg->TraceProbes.find(ntohs(sctp->sh_dport)) != tg->TraceProbes.end())
+            tp = tg->TraceProbes[ntohs(sctp->sh_dport)];
+        else
+            break;
+
+        /* already got the sctp packet for this group,
+         * could be a left over abort or init-ack */
+        if (tp->ipreplysrc.s_addr)
+            break;
+
+        /* We might have got a late reply */
+        if (tp->timing.getState() == P_TIMEDOUT)
+            tp->timing.setState(P_OK);
+        else
+            tg->decRemaining();
+
+        tp->timing.recvTime = rcvdtime;
+        tp->ipreplysrc = ip->ip_src;
+        tg->repliedPackets++;
+        /* The probe was the reply from a ttl guess */
+        if (tp->probeType() == PROBE_TTL) {
+            tg->setHopDistance(get_initial_ttl_guess(ip->ip_ttl), ip->ip_ttl);
+            tg->start_ttl = tg->ttl = tg->hopDistance;
+        } else {
+            tg->gotReply = true;
+            if (tg->start_ttl < tg->ttl)
+                tg->ttl = tg->start_ttl + 1;
+        }
+        break;
     default:
         ;
     }
@@ -616,9 +661,9 @@ Traceroute::sendProbe (TraceProbe * tp) {
         else
             source = o.decoys[decoy];
 
-        /* For TCP, UDP, and ICMP, also check if the probe is an IP proto probe
-           whose protocol happens to be one of those protocols. The
-           protocol-specific fields will have been filled in by
+        /* For TCP, UDP, SCTP and ICMP, also check if the probe is an IP
+           proto probe whose protocol happens to be one of those protocols.
+           The protocol-specific fields will have been filled in by
            Traceroute::getTraceProbe. */
         if (tp->probe.type == PS_TCP
             || (tp->probe.type == PS_PROTO && tp->probe.proto == IPPROTO_TCP)) {
@@ -633,6 +678,22 @@ Traceroute::sendProbe (TraceProbe * tp) {
                                     get_random_u8 (), false,
                                     NULL, 0, tp->sport,
                                     tp->probe.pd.udp.dport, o.extra_payload, o.extra_payload_length, &packetlen);
+        } else if (tp->probe.type == PS_SCTP
+            || (tp->probe.type == PS_PROTO && tp->probe.proto == IPPROTO_SCTP)) {
+            struct sctp_chunkhdr_init chunk;
+            sctp_pack_chunkhdr_init(&chunk, SCTP_INIT, 0,
+                                    sizeof(struct sctp_chunkhdr_init),
+                                    get_random_u32()/*itag*/,
+                                    32768, 10, 2048,
+                                    get_random_u32()/*itsn*/);
+            packet = build_sctp_raw(&source, &tp->ipdst, tp->ttl,
+                                    get_random_u16(), get_random_u8(),
+                                    false, NULL, 0,
+                                    tp->sport, tp->probe.pd.sctp.dport,
+                                    0UL, (char*)&chunk,
+                                    sizeof(struct sctp_chunkhdr_init),
+                                    o.extra_payload, o.extra_payload_length,
+                                    &packetlen);
         } else if (tp->probe.type == PS_ICMP
             || (tp->probe.type == PS_PROTO && tp->probe.proto == IPPROTO_ICMP)) {
             packet = build_icmp_raw (&source, &tp->ipdst, tp->ttl, 0, 0, false,
@@ -951,6 +1012,8 @@ Traceroute::outputTarget (Target * t) {
         log_write(LOG_PLAIN, "\nTRACEROUTE (using port %d/%s)\n", tg->probe.pd.tcp.dport, proto2ascii(tg->probe.proto));
     } else if (tg->probe.type == PS_UDP) {
         log_write(LOG_PLAIN, "\nTRACEROUTE (using port %d/%s)\n", tg->probe.pd.udp.dport, proto2ascii(tg->probe.proto));
+    } else if (tg->probe.type == PS_SCTP) {
+        log_write(LOG_PLAIN, "\nTRACEROUTE (using port %d/%s)\n", tg->probe.pd.sctp.dport, proto2ascii(tg->probe.proto));
     } else if (tg->probe.type == PS_ICMP || tg->probe.type == PS_PROTO) {
         struct protoent *proto = nmap_getprotbynum(htons(tg->probe.proto));
         log_write(LOG_PLAIN, "\nTRACEROUTE (using proto %d/%s)\n", tg->probe.proto, proto?proto->p_name:"unknown");
@@ -982,6 +1045,8 @@ Traceroute::outputXMLTrace(TraceGroup * tg) {
 	log_write(LOG_XML, "port=\"%d\" ", tg->probe.pd.tcp.dport);
     } else if (tg->probe.type == PS_UDP) {
 	log_write(LOG_XML, "port=\"%d\" ", tg->probe.pd.udp.dport);
+    } else if (tg->probe.type == PS_SCTP) {
+        log_write(LOG_XML, "port=\"%d\" ", tg->probe.pd.sctp.dport);
     } else if (tg->probe.type == PS_ICMP || tg->probe.type == PS_PROTO) {
         struct protoent *proto = nmap_getprotbynum(htons(tg->probe.proto));
         if (proto == NULL)
@@ -1108,7 +1173,7 @@ TraceGroup::retransmissions (vector < TraceProbe * >&retrans) {
         if (droppedPackets > 10 && (droppedPackets /
                                     ((double) droppedPackets + repliedPackets) > threshold)) {
             if (!scanDelay)
-                scanDelay = (probe.type == PS_TCP) ? 5 : 50;
+                scanDelay = (probe.type == PS_TCP || probe.type == PS_SCTP) ? 5 : 50;
             else
                 scanDelay = MIN (scanDelay * 2, MAX (scanDelay, 800));
             droppedPackets = 0;