diff --git a/CHANGELOG b/CHANGELOG
index fe19bce1b..9cf27d755 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,4 +1,14 @@
 # Nmap Changelog ($Id$); -*-text-*-
+o Made some changes to various Nmap initialization functions which
+  help ALT Linux (altlinux.org) developers run Nmap in a chroot
+  environment.  Thanks to Dmitry V. Levin (ldv(a)altlinux.org) for the
+  patch.
+
+o Cleaned up the code a bit by making a bunch (nearly 100) global
+  symols (mostly function calls) static.  I was also able to removed
+  some unused functions.  Thanks to Dmitry V. Levin (ldv(a)altlinux.org)
+  for sending a list of candidate symbols.
+
 Nmap 4.02ALPHA1
 
 o Added the --log-errors option, which causes most warnings and error
diff --git a/MACLookup.cc b/MACLookup.cc
index 451c3fd0a..7ff23b1c2 100644
--- a/MACLookup.cc
+++ b/MACLookup.cc
@@ -117,8 +117,6 @@ struct MAC_hash_table {
   struct MAC_entry **table;
 } MacTable;
 
-static int initialized = 0;
-
 static inline int MacCharPrefix2Key(const u8 *prefix) {
   return (prefix[0] << 16) + (prefix[1] << 8) + prefix[2];
 }
@@ -130,7 +128,8 @@ static inline int MACTableHash(int prefix, int table_capacity) {
   return prefix % table_capacity;
 }
 
-void InitializeTable() {
+void mac_prefix_init() {
+  static int initialized = 0;
   if (initialized) return;
   initialized = 1;
   char filename[256];
@@ -196,7 +195,7 @@ void InitializeTable() {
 }
 
 
-struct MAC_entry *findMACEntry(int prefix) {
+static struct MAC_entry *findMACEntry(int prefix) {
   int pos = MACTableHash(prefix, MacTable.table_capacity);
 
   while (MacTable.table[pos]) {
@@ -216,7 +215,7 @@ const char *MACPrefix2Corp(const u8 *prefix) {
   struct MAC_entry *ent;
 
   if (!prefix) fatal("MACPrefix2Corp called with a NULL prefix");
-  if (!initialized) InitializeTable();
+  mac_prefix_init();
 
   ent = findMACEntry(MacCharPrefix2Key(prefix));
   return (ent)? ent->vendor : NULL;
@@ -231,7 +230,7 @@ const char *MACPrefix2Corp(const u8 *prefix) {
 bool MACCorp2Prefix(const char *vendorstr, u8 *mac_data) {
   if (!vendorstr) fatal("%s: vendorstr is NULL", __FUNCTION__);
   if (!mac_data) fatal("%s: mac_data is NULL", __FUNCTION__);
-  if (!initialized) InitializeTable();
+  mac_prefix_init();
 
   for(int i = 0; i < MacTable.table_capacity; i++ ) {
     if (MacTable.table[i])
diff --git a/charpool.cc b/charpool.cc
index 87df1c75f..be470c98a 100644
--- a/charpool.cc
+++ b/charpool.cc
@@ -107,11 +107,13 @@ static char *charpool[16];
 static int currentcharpool;
 static int currentcharpoolsz;
 static char *nextchar;
-static int charpool_initialized = 0;
 
 #define ALIGN_ON sizeof(char *)
 
 static int cp_init(void) {
+  static int charpool_initialized = 0;
+  if (charpool_initialized) return 0;
+
   /* Create our char pool */
   currentcharpool = 0;
   currentcharpoolsz = 16384;
@@ -135,7 +137,7 @@ void *cp_alloc(int sz) {
   char *p;
   int modulus;
 
-  if (!charpool_initialized) cp_init();
+  cp_init();
 
   if ((modulus = sz % ALIGN_ON))
     sz += ALIGN_ON - modulus;
@@ -159,8 +161,7 @@ char *q;
 char *end;
 int modulus;
 
- if (!charpool_initialized) 
-   cp_init();
+ cp_init();
 
  end = charpool[currentcharpool] + currentcharpoolsz;
  q = nextchar;
diff --git a/idle_scan.cc b/idle_scan.cc
index a5c09a1bd..6e349bd7c 100644
--- a/idle_scan.cc
+++ b/idle_scan.cc
@@ -154,7 +154,7 @@ struct idle_proxy_info {
    Proxy timing is adjusted, but proxy->latestid is NOT ADJUSTED --
    you'll have to do that yourself.   Probes_sent is set to the number
    of probe packets sent during execution */
-int ipid_proxy_probe(struct idle_proxy_info *proxy, int *probes_sent,
+static int ipid_proxy_probe(struct idle_proxy_info *proxy, int *probes_sent,
 		     int *probes_rcvd) {
   struct timeval tv_end;
   int tries = 0;
@@ -248,7 +248,7 @@ int ipid_proxy_probe(struct idle_proxy_info *proxy, int *probes_sent,
    one, assuming the given IPID Sequencing class.  Returns -1 if the
    distance cannot be determined */
 
-int ipid_distance(int seqclass , u16 startid, u16 endid) {
+static int ipid_distance(int seqclass , u16 startid, u16 endid) {
   if (seqclass == IPID_SEQ_INCR)
     return endid - startid;
   
@@ -279,7 +279,7 @@ static void initialize_proxy_struct(struct idle_proxy_info *proxy) {
    proxy is determined to be unsuitable, the function whines and exits
    the program */
 #define NUM_IPID_PROBES 6
-void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
+static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
 			  const struct in_addr *first_target) {
   int probes_sent = 0, probes_returned = 0;
   int hardtimeout = 9000000; /* Generally don't wait more than 9 secs total */
@@ -378,7 +378,7 @@ void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
     proxy->ethptr = &proxy->eth;
   } else {
     if ((proxy->rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
-      pfatal("socket trobles in get_fingerprint");
+      pfatal("socket trobles in %s", __FUNCTION__);
     unblock_socket(proxy->rawsd);
     broadcast_socket(proxy->rawsd);
 #ifndef WIN32
@@ -560,7 +560,7 @@ void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
    count of 'testcount' while the 'realcount' is as given.  If the
    testcount was correct, timing is made more aggressive, while it is
    slowed down in the case of an error */
-void adjust_idle_timing(struct idle_proxy_info *proxy, 
+static void adjust_idle_timing(struct idle_proxy_info *proxy, 
 			Target *target, int testcount, 
 			int realcount) {
 
@@ -622,7 +622,7 @@ void adjust_idle_timing(struct idle_proxy_info *proxy,
    They can be NULL if you don't want to use them.  The purpose is for
    timing adjustments if the numbers turn out to be accurate */
 
-int idlescan_countopen2(struct idle_proxy_info *proxy, 
+static int idlescan_countopen2(struct idle_proxy_info *proxy, 
 			Target *target, u16 *ports, int numports,
 			struct timeval *sent_time, struct timeval *rcv_time) 
 {
@@ -777,7 +777,7 @@ int idlescan_countopen2(struct idle_proxy_info *proxy,
 /* The job of this function is to use the Idlescan technique to count
    the number of open ports in the given list.  Under the covers, this
    function just farms out the hard work to another function */
-int idlescan_countopen(struct idle_proxy_info *proxy, 
+static int idlescan_countopen(struct idle_proxy_info *proxy, 
 		       Target *target, u16 *ports, int numports,
 		       struct timeval *sent_time, struct timeval *rcv_time) {
   int tries = 0;
@@ -818,7 +818,7 @@ int idlescan_countopen(struct idle_proxy_info *proxy,
 /* Recursively Idlescans scans a group of ports using a depth-first
    divide-and-conquer strategy to find the open one(s) */
 
-int idle_treescan(struct idle_proxy_info *proxy, Target *target,
+static int idle_treescan(struct idle_proxy_info *proxy, Target *target,
 		 u16 *ports, int numports, int expectedopen) {
 
   int firstHalfSz = (numports + 1)/2;
diff --git a/nmap.cc b/nmap.cc
index ce2d4adeb..61c4136d8 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -192,6 +192,240 @@ static int parse_bounce_argument(struct ftpinfo *ftp, char *url) {
   return 1;
 }
 
+static void printusage(char *name, int rc) {
+
+printf("%s %s ( %s )\n"
+       "Usage: nmap [Scan Type(s)] [Options] {target specification}\n"
+       "TARGET SPECIFICATION:\n"
+       "  Can pass hostnames, IP addresses, networks, etc.\n"
+       "  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254\n"
+       "  -iL <inputfilename>: Input from list of hosts/networks\n"
+       "  -iR <num hosts>: Choose random targets\n"
+       "  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks\n"
+       "  --excludefile <exclude_file>: Exclude list from file\n"
+       "HOST DISCOVERY:\n"
+       "  -sL: List Scan - simply list targets to scan\n"
+       "  -sP: Ping Scan - go no further than determining if host is online\n"
+       "  -P0: Treat all hosts as online -- skip host discovery\n"
+       "  -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports\n"
+       "  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes\n"
+       "  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]\n"
+       "  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers\n"
+       "  --system-dns: Use OS's DNS resolver\n"
+       "SCAN TECHNIQUES:\n"
+       "  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans\n"
+       "  -sN/sF/sX: TCP Null, FIN, and Xmas scans\n"
+       "  --scanflags <flags>: Customize TCP scan flags\n"
+       "  -sI <zombie host[:probeport]>: Idlescan\n"
+       "  -sO: IP protocol scan\n"
+       "  -b <ftp relay host>: FTP bounce scan\n"
+       "PORT SPECIFICATION AND SCAN ORDER:\n"
+       "  -p <port ranges>: Only scan specified ports\n"
+       "    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080\n"
+       "  -F: Fast - Scan only the ports listed in the nmap-services file)\n"
+       "  -r: Scan ports consecutively - don't randomize\n"
+       "SERVICE/VERSION DETECTION:\n"
+       "  -sV: Probe open ports to determine service/version info\n"
+       "  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)\n"
+       "  --version-light: Limit to most likely probes (intensity 2)\n"
+       "  --version-all: Try every single probe (intensity 9)\n"
+       "  --version-trace: Show detailed version scan activity (for debugging)\n"
+       "OS DETECTION:\n"
+       "  -O: Enable OS detection\n"
+       "  --osscan-limit: Limit OS detection to promising targets\n"
+       "  --osscan-guess: Guess OS more aggressively\n"
+       "TIMING AND PERFORMANCE:\n"
+       "  Options which take <time> are in milliseconds, unless you append 's'\n"
+       "  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).\n"
+       "  -T[0-5]: Set timing template (higher is faster)\n"
+       "  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes\n"
+       "  --min-parallelism/max-parallelism <time>: Probe parallelization\n"
+       "  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies\n"
+       "      probe round trip time.\n"
+       "  --max-retries <tries>: Caps number of port scan probe retransmissions.\n"
+       "  --host-timeout <time>: Give up on target after this long\n"
+       "  --scan-delay/--max-scan-delay <time>: Adjust delay between probes\n"
+       "FIREWALL/IDS EVASION AND SPOOFING:\n"
+       "  -f; --mtu <val>: fragment packets (optionally w/given MTU)\n"
+       "  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys\n"
+       "  -S <IP_Address>: Spoof source address\n"
+       "  -e <iface>: Use specified interface\n"
+       "  -g/--source-port <portnum>: Use given port number\n"
+       "  --data-length <num>: Append random data to sent packets\n"
+       "  --ttl <val>: Set IP time-to-live field\n"
+       "  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address\n"
+       "  --badsum: Send packets with a bogus TCP/UDP checksum\n"
+       "OUTPUT:\n"
+       "  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,\n"
+       "     and Grepable format, respectively, to the given filename.\n"
+       "  -oA <basename>: Output in the three major formats at once\n"
+       "  -v: Increase verbosity level (use twice for more effect)\n"
+       "  -d[level]: Set or increase debugging level (Up to 9 is meaningful)\n"
+       "  --packet-trace: Show all packets sent and received\n"
+       "  --iflist: Print host interfaces and routes (for debugging)\n"
+       "  --log-errors: Log errors/warnings to the normal-format output file\n"
+       "  --append-output: Append to rather than clobber specified output files\n"
+       "  --resume <filename>: Resume an aborted scan\n"
+       "  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML\n"
+       "  --webxml: Reference stylesheet from Insecure.Org for more portable XML\n"
+       "  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output\n"
+       "MISC:\n"
+       "  -6: Enable IPv6 scanning\n"
+       "  -A: Enables OS detection and Version detection\n"
+       "  --datadir <dirname>: Specify custom Nmap data file location\n"
+       "  --send-eth/--send-ip: Send using raw ethernet frames or IP packets\n"
+       "  --privileged: Assume that the user is fully privileged\n"
+       "  -V: Print version number\n"
+       "  -h: Print this help summary page.\n"
+       "EXAMPLES:\n"
+       "  nmap -v -A scanme.nmap.org\n"
+       "  nmap -v -sP 192.168.0.0/16 10.0.0.0/8\n"
+       "  nmap -v -iR 10000 -P0 -p 80\n"
+       "SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES\n", NMAP_NAME, NMAP_VERSION, NMAP_URL);
+  exit(rc);
+}
+
+/**
+ * Returns 1 if this is a reserved IP address, where "reserved" means
+ * either a private address, non-routable address, or even a non-reserved
+ * but unassigned address which has an extremely high probability of being
+ * black-holed.
+ *
+ * We try to optimize speed when ordering the tests. This optimization
+ * assumes that all byte values are equally likely in the input.
+ *
+ * Warning: This function could easily become outdated if the IANA
+ * starts to assign some more IPv4 ranges to RIPE, etc. as they have
+ * started doing this year (2001), for example 80.0.0.0/4 used to be
+ * completely unassigned until they gave 80.0.0.0/7 to RIPE in April
+ * 2001 (www.junk.org is an example of a new address in this range).
+ *
+ * Check <http://www.iana.org/assignments/ipv4-address-space> for
+ * the most recent assigments and
+ * <http://www.cymru.com/Documents/bogon-bn-nonagg.txt> for bogon
+ * netblocks.
+ */
+static int ip_is_reserved(struct in_addr *ip)
+{
+  char *ipc = (char *) &(ip->s_addr);
+  unsigned char i1 = ipc[0], i2 = ipc[1], i3 = ipc[2], i4 = ipc[3];
+
+  /* do all the /7's and /8's with a big switch statement, hopefully the
+   * compiler will be able to optimize this a little better using a jump table
+   * or what have you
+   */
+  switch (i1)
+    {
+    case 0:         /* 000/8 is IANA reserved       */
+    case 1:         /* 001/8 is IANA reserved       */
+    case 2:         /* 002/8 is IANA reserved       */
+    case 5:         /* 005/8 is IANA reserved       */
+    case 6:         /* USA Army ISC                 */
+    case 7:         /* used for BGP protocol        */
+    case 10:        /* the infamous 10.0.0.0/8      */
+    case 23:        /* 023/8 is IANA reserved       */
+    case 27:        /* 027/8 is IANA reserved       */
+    case 31:        /* 031/8 is IANA reserved       */
+    case 36:        /* 036/8 is IANA reserved       */
+    case 37:        /* 037/8 is IANA reserved       */
+    case 39:        /* 039/8 is IANA reserved       */
+    case 42:        /* 042/8 is IANA reserved       */
+    case 49:        /* 049/8 is IANA reserved       */
+    case 50:        /* 050/8 is IANA reserved       */
+    case 55:        /* misc. U.S.A. Armed forces    */
+    case 127:       /* 127/8 is reserved for loopback */
+    case 197:       /* 197/8 is IANA reserved       */
+    case 223:       /* 223/8 is IANA reserved       */
+      return 1;
+    default:
+      break;
+    }
+
+
+  /* 077-079/8 is IANA reserved */
+  if (i1 >= 77 && i1 <= 79)
+    return 1;
+
+  /* 092-123/8 is IANA reserved */
+  if (i1 >= 92 && i1 <= 123)
+    return 1;
+
+  /* 172.16.0.0/12 is reserved for private nets by RFC1819 */
+  if (i1 == 172 && i2 >= 16 && i2 <= 31)
+    return 1;
+
+  /* 173-187/8 is IANA reserved */
+  if (i1 >= 173 && i1 <= 187)
+    return 1;
+
+  /* 192.168.0.0/16 is reserved for private nets by RFC1819 */
+  /* 192.0.2.0/24 is reserved for documentation and examples */
+  /* 192.88.99.0/24 is used as 6to4 Relay anycast prefix by RFC3068 */
+  if (i1 == 192) {
+    if (i2 == 168)
+      return 1;
+    if (i2 == 0 && i3 == 2)
+      return 1;
+    if (i2 == 88 && i3 == 99)
+      return 1;
+  }
+
+  /* 198.18.0.0/15 is used for benchmark tests by RFC2544 */
+  if (i1 == 198 && i2 == 18 && i3 >= 1 && i3 <= 64) {
+    return 1;
+  }
+
+  /* reserved for DHCP clients seeking addresses, not routable outside LAN */
+  if (i1 == 169 && i2 == 254)
+    return 1;
+
+  /* believe it or not, 204.152.64.0/23 is some bizarre Sun proprietary
+   * clustering thing */
+  if (i1 == 204 && i2 == 152 && (i3 == 64 || i3 == 65))
+    return 1;
+
+  /* 224-239/8 is all multicast stuff */
+  /* 240-255/8 is IANA reserved */
+  if (i1 >= 224)
+    return 1;
+
+  /* 255.255.255.255, note we already tested for i1 in this range */
+  if (i2 == 255 && i3 == 255 && i4 == 255)
+    return 1;
+
+  return 0;
+}
+
+static char *grab_next_host_spec(FILE *inputfd, int argc, char **fakeargv) {
+  static char host_spec[1024];
+  unsigned int host_spec_index;
+  int ch;
+  struct in_addr ip;
+
+  if (o.generate_random_ips) {
+    do {
+      ip.s_addr = get_random_u32();
+    } while (ip_is_reserved(&ip));
+    Strncpy(host_spec, inet_ntoa(ip), sizeof(host_spec));
+  } else if (!inputfd) {
+    return( (optind < argc)?  fakeargv[optind++] : NULL);
+  } else { 
+    host_spec_index = 0;
+    while((ch = getc(inputfd)) != EOF) {
+      if (ch == ' ' || ch == '\r' || ch == '\n' || ch == '\t' || ch == '\0') {
+	if (host_spec_index == 0) continue;
+	host_spec[host_spec_index] = '\0';
+	return host_spec;
+      } else if (host_spec_index < sizeof(host_spec) / sizeof(char) -1) {
+	host_spec[host_spec_index++] = (char) ch;
+      } else fatal("One of the host_specifications from your input file is too long (> %d chars)", (int) sizeof(host_spec));
+    }
+    host_spec[host_spec_index] = '\0';
+  }
+  if (!*host_spec) return NULL;
+  return host_spec;
+}
+
 int nmap_main(int argc, char *argv[]) {
   char *p, *q;
   int i, arg;
@@ -1629,98 +1863,6 @@ struct scan_lists *getpts(char *origexpr) {
   return ports;
 }
 
-void printusage(char *name, int rc) {
-
-printf("%s %s ( %s )\n"
-       "Usage: nmap [Scan Type(s)] [Options] {target specification}\n"
-       "TARGET SPECIFICATION:\n"
-       "  Can pass hostnames, IP addresses, networks, etc.\n"
-       "  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254\n"
-       "  -iL <inputfilename>: Input from list of hosts/networks\n"
-       "  -iR <num hosts>: Choose random targets\n"
-       "  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks\n"
-       "  --excludefile <exclude_file>: Exclude list from file\n"
-       "HOST DISCOVERY:\n"
-       "  -sL: List Scan - simply list targets to scan\n"
-       "  -sP: Ping Scan - go no further than determining if host is online\n"
-       "  -P0: Treat all hosts as online -- skip host discovery\n"
-       "  -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports\n"
-       "  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes\n"
-       "  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]\n"
-       "  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers\n"
-       "  --system-dns: Use OS's DNS resolver\n"
-       "SCAN TECHNIQUES:\n"
-       "  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans\n"
-       "  -sN/sF/sX: TCP Null, FIN, and Xmas scans\n"
-       "  --scanflags <flags>: Customize TCP scan flags\n"
-       "  -sI <zombie host[:probeport]>: Idlescan\n"
-       "  -sO: IP protocol scan\n"
-       "  -b <ftp relay host>: FTP bounce scan\n"
-       "PORT SPECIFICATION AND SCAN ORDER:\n"
-       "  -p <port ranges>: Only scan specified ports\n"
-       "    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080\n"
-       "  -F: Fast - Scan only the ports listed in the nmap-services file)\n"
-       "  -r: Scan ports consecutively - don't randomize\n"
-       "SERVICE/VERSION DETECTION:\n"
-       "  -sV: Probe open ports to determine service/version info\n"
-       "  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)\n"
-       "  --version-light: Limit to most likely probes (intensity 2)\n"
-       "  --version-all: Try every single probe (intensity 9)\n"
-       "  --version-trace: Show detailed version scan activity (for debugging)\n"
-       "OS DETECTION:\n"
-       "  -O: Enable OS detection\n"
-       "  --osscan-limit: Limit OS detection to promising targets\n"
-       "  --osscan-guess: Guess OS more aggressively\n"
-       "TIMING AND PERFORMANCE:\n"
-       "  Options which take <time> are in milliseconds, unless you append 's'\n"
-       "  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).\n"
-       "  -T[0-5]: Set timing template (higher is faster)\n"
-       "  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes\n"
-       "  --min-parallelism/max-parallelism <time>: Probe parallelization\n"
-       "  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies\n"
-       "      probe round trip time.\n"
-       "  --max-retries <tries>: Caps number of port scan probe retransmissions.\n"
-       "  --host-timeout <time>: Give up on target after this long\n"
-       "  --scan-delay/--max-scan-delay <time>: Adjust delay between probes\n"
-       "FIREWALL/IDS EVASION AND SPOOFING:\n"
-       "  -f; --mtu <val>: fragment packets (optionally w/given MTU)\n"
-       "  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys\n"
-       "  -S <IP_Address>: Spoof source address\n"
-       "  -e <iface>: Use specified interface\n"
-       "  -g/--source-port <portnum>: Use given port number\n"
-       "  --data-length <num>: Append random data to sent packets\n"
-       "  --ttl <val>: Set IP time-to-live field\n"
-       "  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address\n"
-       "  --badsum: Send packets with a bogus TCP/UDP checksum\n"
-       "OUTPUT:\n"
-       "  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,\n"
-       "     and Grepable format, respectively, to the given filename.\n"
-       "  -oA <basename>: Output in the three major formats at once\n"
-       "  -v: Increase verbosity level (use twice for more effect)\n"
-       "  -d[level]: Set or increase debugging level (Up to 9 is meaningful)\n"
-       "  --packet-trace: Show all packets sent and received\n"
-       "  --iflist: Print host interfaces and routes (for debugging)\n"
-       "  --log-errors: Log errors/warnings to the normal-format output file\n"
-       "  --append-output: Append to rather than clobber specified output files\n"
-       "  --resume <filename>: Resume an aborted scan\n"
-       "  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML\n"
-       "  --webxml: Reference stylesheet from Insecure.Org for more portable XML\n"
-       "  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output\n"
-       "MISC:\n"
-       "  -6: Enable IPv6 scanning\n"
-       "  -A: Enables OS detection and Version detection\n"
-       "  --datadir <dirname>: Specify custom Nmap data file location\n"
-       "  --send-eth/--send-ip: Send using raw ethernet frames or IP packets\n"
-       "  --privileged: Assume that the user is fully privileged\n"
-       "  -V: Print version number\n"
-       "  -h: Print this help summary page.\n"
-       "EXAMPLES:\n"
-       "  nmap -v -A scanme.nmap.org\n"
-       "  nmap -v -sP 192.168.0.0/16 10.0.0.0/8\n"
-       "  nmap -v -iR 10000 -P0 -p 80\n"
-       "SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES\n", NMAP_NAME, NMAP_VERSION, NMAP_URL);
-  exit(rc);
-}
 
 void printinteractiveusage() {
   printf(
@@ -1819,148 +1961,7 @@ char *tsseqclass2ascii(int seqclass) {
 }
 
 
-/**
- * Returns 1 if this is a reserved IP address, where "reserved" means
- * either a private address, non-routable address, or even a non-reserved
- * but unassigned address which has an extremely high probability of being
- * black-holed.
- *
- * We try to optimize speed when ordering the tests. This optimization
- * assumes that all byte values are equally likely in the input.
- *
- * Warning: This function could easily become outdated if the IANA
- * starts to assign some more IPv4 ranges to RIPE, etc. as they have
- * started doing this year (2001), for example 80.0.0.0/4 used to be
- * completely unassigned until they gave 80.0.0.0/7 to RIPE in April
- * 2001 (www.junk.org is an example of a new address in this range).
- *
- * Check <http://www.iana.org/assignments/ipv4-address-space> for
- * the most recent assigments and
- * <http://www.cymru.com/Documents/bogon-bn-nonagg.txt> for bogon
- * netblocks.
- */
 
-int ip_is_reserved(struct in_addr *ip)
-{
-  char *ipc = (char *) &(ip->s_addr);
-  unsigned char i1 = ipc[0], i2 = ipc[1], i3 = ipc[2], i4 = ipc[3];
-
-  /* do all the /7's and /8's with a big switch statement, hopefully the
-   * compiler will be able to optimize this a little better using a jump table
-   * or what have you
-   */
-  switch (i1)
-    {
-    case 0:         /* 000/8 is IANA reserved       */
-    case 1:         /* 001/8 is IANA reserved       */
-    case 2:         /* 002/8 is IANA reserved       */
-    case 5:         /* 005/8 is IANA reserved       */
-    case 6:         /* USA Army ISC                 */
-    case 7:         /* used for BGP protocol        */
-    case 10:        /* the infamous 10.0.0.0/8      */
-    case 23:        /* 023/8 is IANA reserved       */
-    case 27:        /* 027/8 is IANA reserved       */
-    case 31:        /* 031/8 is IANA reserved       */
-    case 36:        /* 036/8 is IANA reserved       */
-    case 37:        /* 037/8 is IANA reserved       */
-    case 39:        /* 039/8 is IANA reserved       */
-    case 42:        /* 042/8 is IANA reserved       */
-    case 49:        /* 049/8 is IANA reserved       */
-    case 50:        /* 050/8 is IANA reserved       */
-    case 55:        /* misc. U.S.A. Armed forces    */
-    case 127:       /* 127/8 is reserved for loopback */
-    case 197:       /* 197/8 is IANA reserved       */
-    case 223:       /* 223/8 is IANA reserved       */
-      return 1;
-    default:
-      break;
-    }
-
-
-  /* 077-079/8 is IANA reserved */
-  if (i1 >= 77 && i1 <= 79)
-    return 1;
-
-  /* 092-123/8 is IANA reserved */
-  if (i1 >= 92 && i1 <= 123)
-    return 1;
-
-  /* 172.16.0.0/12 is reserved for private nets by RFC1819 */
-  if (i1 == 172 && i2 >= 16 && i2 <= 31)
-    return 1;
-
-  /* 173-187/8 is IANA reserved */
-  if (i1 >= 173 && i1 <= 187)
-    return 1;
-
-  /* 192.168.0.0/16 is reserved for private nets by RFC1819 */
-  /* 192.0.2.0/24 is reserved for documentation and examples */
-  /* 192.88.99.0/24 is used as 6to4 Relay anycast prefix by RFC3068 */
-  if (i1 == 192) {
-    if (i2 == 168)
-      return 1;
-    if (i2 == 0 && i3 == 2)
-      return 1;
-    if (i2 == 88 && i3 == 99)
-      return 1;
-  }
-
-  /* 198.18.0.0/15 is used for benchmark tests by RFC2544 */
-  if (i1 == 198 && i2 == 18 && i3 >= 1 && i3 <= 64) {
-    return 1;
-  }
-
-  /* reserved for DHCP clients seeking addresses, not routable outside LAN */
-  if (i1 == 169 && i2 == 254)
-    return 1;
-
-  /* believe it or not, 204.152.64.0/23 is some bizarre Sun proprietary
-   * clustering thing */
-  if (i1 == 204 && i2 == 152 && (i3 == 64 || i3 == 65))
-    return 1;
-
-  /* 224-239/8 is all multicast stuff */
-  /* 240-255/8 is IANA reserved */
-  if (i1 >= 224)
-    return 1;
-
-  /* 255.255.255.255, note we already tested for i1 in this range */
-  if (i2 == 255 && i3 == 255 && i4 == 255)
-    return 1;
-
-  return 0;
-
-}
-
-char *grab_next_host_spec(FILE *inputfd, int argc, char **fakeargv) {
-  static char host_spec[1024];
-  unsigned int host_spec_index;
-  int ch;
-  struct in_addr ip;
-
-  if (o.generate_random_ips) {
-    do {
-      ip.s_addr = get_random_u32();
-    } while (ip_is_reserved(&ip));
-    Strncpy(host_spec, inet_ntoa(ip), sizeof(host_spec));
-  } else if (!inputfd) {
-    return( (optind < argc)?  fakeargv[optind++] : NULL);
-  } else { 
-    host_spec_index = 0;
-    while((ch = getc(inputfd)) != EOF) {
-      if (ch == ' ' || ch == '\r' || ch == '\n' || ch == '\t' || ch == '\0') {
-	if (host_spec_index == 0) continue;
-	host_spec[host_spec_index] = '\0';
-	return host_spec;
-      } else if (host_spec_index < sizeof(host_spec) / sizeof(char) -1) {
-	host_spec[host_spec_index++] = (char) ch;
-      } else fatal("One of the host_specifications from your input file is too long (> %d chars)", (int) sizeof(host_spec));
-    }
-    host_spec[host_spec_index] = '\0';
-  }
-  if (!*host_spec) return NULL;
-  return host_spec;
-}
 
 /* Just a routine for obtaining a string for printing based on the scantype */
 char *scantype2str(stype scantype) {
@@ -2147,6 +2148,13 @@ void sigdie(int signo) {
   exit(1);
 }
 
+static int fileexistsandisreadable(char *pathname) {
+  FILE *fp;
+  /* We check this the easy way! */
+  fp = fopen(pathname, "r");
+  if (fp) fclose(fp);
+  return (fp == NULL)? 0 : 1;
+}
 
 int nmap_fetchfile(char *filename_returned, int bufferlen, char *file) {
   char *dirptr;
@@ -2260,11 +2268,4 @@ int nmap_fetchfile(char *filename_returned, int bufferlen, char *file) {
 
 }
 
-int fileexistsandisreadable(char *pathname) {
-  FILE *fp;
-  /* We check this the easy way! */
-  fp = fopen(pathname, "r");
-  if (fp) fclose(fp);
-  return (fp == NULL)? 0 : 1;
-}
 
diff --git a/nmap.h b/nmap.h
index e4b8025d6..e9bd2ce49 100644
--- a/nmap.h
+++ b/nmap.h
@@ -426,8 +426,6 @@ void *realloc();
 
 /***********************PROTOTYPES**********************************/
 
-/* print usage information and exit */
-void printusage(char *name, int rc);
 /* print Interactive usage information */
 void printinteractiveusage();
 
@@ -454,7 +452,6 @@ int listen_icmp(int icmpsock, unsigned short outports[],
 int nmap_main(int argc, char *argv[]);
 
 /* general helper functions */
-char *grab_next_host_spec(FILE *inputfd, int argc, char **fakeargv);
 int parse_targets(struct targets *targets, char *h);
 char *statenum2str(int state);
 char *scantype2str(stype scantype);
@@ -469,7 +466,6 @@ char *tsseqclass2ascii(int seqclass);
    into a difficulty string like "Worthy Challenge */
 const char *seqidx2difficultystr(unsigned long idx);
 int nmap_fetchfile(char *filename_returned, int bufferlen, char *file);
-int fileexistsandisreadable(char *pathname);
 int gather_logfile_resumption_state(char *fname, int *myargc, char ***myargv);
 
 /* From glibc 2.0.6 because Solaris doesn't seem to have this function */
diff --git a/nmap_dns.cc b/nmap_dns.cc
index c76902897..6bcd33c88 100644
--- a/nmap_dns.cc
+++ b/nmap_dns.cc
@@ -199,7 +199,7 @@ extern NmapOps o;
 
 // In milliseconds
 // Each row MUST be terminated with -1
-int read_timeouts[][4] = {
+static int read_timeouts[][4] = {
   { 4000, 4000, 5000, -1 }, // 1 server
   { 2500, 4000,   -1, -1 }, // 2 servers
   { 2500, 3000,   -1, -1 }, // 3+ servers
@@ -275,7 +275,6 @@ static std::list<request *> cname_reqs;
 static int total_reqs;
 static nsock_pool dnspool=NULL;
 
-static int etchosts_filled=0;
 static std::list<host_elem *> etchosts[HASH_TABLE_SIZE];
 
 static int stat_actual, stat_ok, stat_nx, stat_sf, stat_trans, stat_dropped, stat_cname;
@@ -288,10 +287,7 @@ static ScanProgressMeter *SPM;
 
 //------------------- Prototypes and macros ---------------------
 
-void close_dns_servers();
-void write_evt_handler(nsock_pool nsp, nsock_event evt, void *req_v);
-void do_possible_writes();
-int deal_with_timedout_reads();
+void put_dns_packet_on_wire(request *req);
 
 #define ACTION_FINISHED 0
 #define ACTION_CNAME_LIST 1
@@ -301,7 +297,7 @@ int deal_with_timedout_reads();
 
 //------------------- Misc code --------------------- 
 
-void output_summary() {
+static void output_summary() {
   int tp = stat_ok + stat_nx + stat_dropped;
   struct timeval now;
 
@@ -314,22 +310,206 @@ void output_summary() {
                     (unsigned long) servs.size(), stat_ok, stat_nx, stat_dropped, stat_sf, stat_trans);
 }
 
-
-void check_capacities(dns_server *tpserv) {
+static void check_capacities(dns_server *tpserv) {
   if (tpserv->capacity < CAPACITY_MIN) tpserv->capacity = CAPACITY_MIN;
   if (tpserv->capacity > CAPACITY_MAX) tpserv->capacity = CAPACITY_MAX;
   if (o.debugging >= TRACE_DEBUG_LEVEL) log_write(LOG_STDOUT, "CAPACITY <%s> = %d\n", tpserv->hostname, tpserv->capacity);
 }
 
+// Closes all nsis created in connect_dns_servers()
+static void close_dns_servers() {
+  std::list<dns_server *>::iterator serverI;
+
+  for(serverI = servs.begin(); serverI != servs.end(); serverI++) {
+    if ((*serverI)->connected) {
+      nsi_delete((*serverI)->nsd, NSOCK_PENDING_SILENT);
+      (*serverI)->connected = 0;
+      (*serverI)->to_process.clear();
+      (*serverI)->in_process.clear();
+    }
+  }
+}
 
 
+// Inserts an integer (endian non-specifically) into a DNS packet.
+// Returns number of bytes written
+static int add_integer_to_dns_packet(char *packet, int c) {
+  char tpnum[4];
+  int tplen;
 
-//------------------- Read handling code ---------------------
+  sprintf(tpnum, "%d", c);
+  tplen = strlen(tpnum);
+  packet[0] = (char) tplen;
+  memcpy(packet+1, tpnum, tplen);
+
+  return tplen+1;
+}
+
+// Puts as many packets on the line as capacity will allow
+static void do_possible_writes() {
+  std::list<dns_server *>::iterator servI;
+  dns_server *tpserv;
+  request *tpreq;
+
+  for(servI = servs.begin(); servI != servs.end(); servI++) {
+    tpserv = *servI;
+
+    if (tpserv->write_busy == 0 && tpserv->reqs_on_wire < tpserv->capacity) {
+      tpreq = NULL;
+      if (!tpserv->to_process.empty()) {
+        tpreq = tpserv->to_process.front();
+        tpserv->to_process.pop_front();
+      } else if (!new_reqs.empty()) {
+        tpreq = new_reqs.front();
+        tpreq->first_server = tpreq->curr_server = tpserv;
+        new_reqs.pop_front();
+      }
+
+      if (tpreq) {
+        if (o.debugging >= TRACE_DEBUG_LEVEL) log_write(LOG_STDOUT, "mass_rdns: TRANSMITTING for <%s> (server <%s>)\n", tpreq->targ->targetipstr() , tpserv->hostname);
+        stat_trans++;
+        put_dns_packet_on_wire(tpreq);
+      }
+    }
+  }
+}
+
+// nsock write handler
+static void write_evt_handler(nsock_pool nsp, nsock_event evt, void *req_v) {
+  request *req = (request *) req_v;
+
+  req->curr_server->write_busy = 0;
+  req->curr_server->in_process.push_front(req);
+
+  do_possible_writes();
+}
+
+// Takes a DNS request structure and actually puts it on the wire
+// (calls nsock_write()). Does various other tasks like recording
+// the time for the timeout.
+void put_dns_packet_on_wire(request *req) {
+  char packet[512];
+  int plen=0;
+  u32 ip;
+  struct timeval now, timeout;
+
+  ip = (u32) ntohl(req->targ->v4host().s_addr);
+
+  packet[0] = (req->id >> 8) & 0xFF;
+  packet[1] = req->id & 0xFF;
+  plen += 2;
+
+  memcpy(packet+plen, "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00", 10);
+  plen += 10;
+
+  plen += add_integer_to_dns_packet(packet+plen, ip & 0xFF);
+  plen += add_integer_to_dns_packet(packet+plen, (ip>>8) & 0xFF);
+  plen += add_integer_to_dns_packet(packet+plen, (ip>>16) & 0xFF);
+  plen += add_integer_to_dns_packet(packet+plen, (ip>>24) & 0xFF);
+
+  memcpy(packet+plen, "\x07in-addr\004arpa\x00\x00\x0c\x00\x01", 18);
+  plen += 18;
+
+  req->curr_server->write_busy = 1;
+  req->curr_server->reqs_on_wire++;
+
+  memcpy(&now, nsock_gettimeofday(), sizeof(struct timeval));
+  TIMEVAL_MSEC_ADD(timeout, now, read_timeouts[read_timeout_index][req->tries]);
+  memcpy(&req->timeout, &timeout, sizeof(struct timeval));
+
+  req->tries++;
+
+  nsock_write(dnspool, req->curr_server->nsd, write_evt_handler, WRITE_TIMEOUT, req, packet, plen);
+}
+
+// Processes DNS packets that have timed out
+// Returns time until next read timeout
+static int deal_with_timedout_reads() {
+  std::list<dns_server *>::iterator servI;
+  std::list<dns_server *>::iterator servItemp;
+  std::list<request *>::iterator reqI;
+  std::list<request *>::iterator nextI;
+  dns_server *tpserv;
+  request *tpreq;
+  struct timeval now;
+  int tp, min_timeout = INT_MAX;
+
+  memcpy(&now, nsock_gettimeofday(), sizeof(struct timeval));
+
+  if (keyWasPressed())
+    SPM->printStats((double) (stat_ok + stat_nx + stat_dropped) / stat_actual, &now);
+
+  for(servI = servs.begin(); servI != servs.end(); servI++) {
+    tpserv = *servI;
+
+    nextI = tpserv->in_process.begin();
+    if (nextI == tpserv->in_process.end()) continue;
+
+    do {
+      reqI = nextI++;
+      tpreq = *reqI;
+
+      tp = TIMEVAL_MSEC_SUBTRACT(tpreq->timeout, now);
+      if (tp > 0 && tp < min_timeout) min_timeout = tp;
+
+      if (tp <= 0) {
+        tpserv->capacity = (int) (tpserv->capacity * CAPACITY_MINOR_DOWN_SCALE);
+        check_capacities(tpserv);
+        tpserv->in_process.erase(reqI);
+        tpserv->reqs_on_wire--;
+
+        // If we've tried this server enough times, move to the next one
+        if (read_timeouts[read_timeout_index][tpreq->tries] == -1) {
+          tpserv->capacity = (int) (tpserv->capacity * CAPACITY_MAJOR_DOWN_SCALE);
+          check_capacities(tpserv);
+
+          servItemp = servI;
+          servItemp++;
+
+          if (servItemp == servs.end()) servItemp = servs.begin();
+
+          tpreq->curr_server = *servItemp;
+          tpreq->tries = 0;
+          tpreq->servers_tried++;
+
+          if (tpreq->curr_server == tpreq->first_server || tpreq->servers_tried == SERVERS_TO_TRY) {
+            // Either give up on the IP
+            // or, for maximum reliability, put the server back into processing
+            // Note it's possible that this will never terminate.
+            // FIXME: Find a good compromise
+
+            // **** We've already tried all servers... give up
+            if (o.debugging >= TRACE_DEBUG_LEVEL) log_write(LOG_STDOUT, "mass_rdns: *DR*OPPING <%s>\n", tpreq->targ->targetipstr());
+
+            output_summary();
+            stat_dropped++;
+            total_reqs--;
+            delete tpreq;
+
+            // **** OR We start at the back of this server's queue
+            //(*servItemp)->to_process.push_back(tpreq);
+          } else {
+            (*servItemp)->to_process.push_back(tpreq);
+          }
+        } else {
+          tpserv->to_process.push_back(tpreq);
+        }
+
+    }
+
+    } while (nextI != tpserv->in_process.end());
+
+  }
+
+  if (min_timeout > 500) return 500;
+  else return min_timeout;
+
+}
 
 // After processing a DNS response, we search through the IPs we're
 // looking for and update their results as necessary.
 // Returns non-zero if this matches a query we're looking for
-int process_result(u32 ia, char *result, int action, u16 id) {
+static int process_result(u32 ia, char *result, int action, u16 id) {
   std::list<dns_server *>::iterator servI;
   std::list<request *>::iterator reqI;
   dns_server *tpserv;
@@ -381,7 +561,7 @@ int process_result(u32 ia, char *result, int action, u16 id) {
 // encoded string inside a packet.
 // maxlen is the very maximum length (in total bytes)
 // that should be processed
-u32 parse_inaddr_arpa(unsigned char *buf, int maxlen) {
+static u32 parse_inaddr_arpa(unsigned char *buf, int maxlen) {
   u32 ip=0;
   int i, j;
 
@@ -431,7 +611,7 @@ int encoded_name_to_normal(unsigned char *buf, char *output, int outputsize){
 
 // Takes a pointer to the start of a DNS name inside a packet. It makes
 // sure that there is enough space in the name, deals with compression, etc.
-int advance_past_dns_name(u8 *buf, int buflen, int curbuf, 
+static int advance_past_dns_name(u8 *buf, int buflen, int curbuf, 
 			  int *nameloc) {
   int compression=0;
 
@@ -458,10 +638,9 @@ int advance_past_dns_name(u8 *buf, int buflen, int curbuf,
   else return curbuf+1;
 }
 
-
 // Nsock read handler. One nsock read for each DNS server exists at each
 // time. This function uses various helper functions as defined above.
-void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
+static void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
   u8 *buf;
   int buflen, curbuf=0;
   int i, nameloc, rdlen, atype, aclass;
@@ -592,205 +771,14 @@ void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
 }
 
 
-
-
-//------------------- Write handling code ---------------------
-
-// Inserts an integer (endian non-specifically) into a DNS packet.
-// Returns number of bytes written
-int add_integer_to_dns_packet(char *packet, int c) {
-  char tpnum[4];
-  int tplen;
-
-  sprintf(tpnum, "%d", c);
-  tplen = strlen(tpnum);
-  packet[0] = (char) tplen;
-  memcpy(packet+1, tpnum, tplen);
-
-  return tplen+1;
-}
-
-
-// Takes a DNS request structure and actually puts it on the wire
-// (calls nsock_write()). Does various other tasks like recording
-// the time for the timeout.
-void put_dns_packet_on_wire(request *req) {
-  char packet[512];
-  int plen=0;
-  u32 ip;
-  struct timeval now, timeout;
-
-  ip = (u32) ntohl(req->targ->v4host().s_addr);
-
-  packet[0] = (req->id >> 8) & 0xFF;
-  packet[1] = req->id & 0xFF;
-  plen += 2;
-
-  memcpy(packet+plen, "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00", 10);
-  plen += 10;
-
-  plen += add_integer_to_dns_packet(packet+plen, ip & 0xFF);
-  plen += add_integer_to_dns_packet(packet+plen, (ip>>8) & 0xFF);
-  plen += add_integer_to_dns_packet(packet+plen, (ip>>16) & 0xFF);
-  plen += add_integer_to_dns_packet(packet+plen, (ip>>24) & 0xFF);
-
-  memcpy(packet+plen, "\x07in-addr\004arpa\x00\x00\x0c\x00\x01", 18);
-  plen += 18;
-
-  req->curr_server->write_busy = 1;
-  req->curr_server->reqs_on_wire++;
-
-  memcpy(&now, nsock_gettimeofday(), sizeof(struct timeval));
-  TIMEVAL_MSEC_ADD(timeout, now, read_timeouts[read_timeout_index][req->tries]);
-  memcpy(&req->timeout, &timeout, sizeof(struct timeval));
-
-  req->tries++;
-
-  nsock_write(dnspool, req->curr_server->nsd, write_evt_handler, WRITE_TIMEOUT, req, packet, plen);
-}
-
-
-
-
-// Processes DNS packets that have timed out
-// Returns time until next read timeout
-int deal_with_timedout_reads() {
-  std::list<dns_server *>::iterator servI;
-  std::list<dns_server *>::iterator servItemp;
-  std::list<request *>::iterator reqI;
-  std::list<request *>::iterator nextI;
-  dns_server *tpserv;
-  request *tpreq;
-  struct timeval now;
-  int tp, min_timeout = INT_MAX;
-
-  memcpy(&now, nsock_gettimeofday(), sizeof(struct timeval));
-
-  if (keyWasPressed())
-    SPM->printStats((double) (stat_ok + stat_nx + stat_dropped) / stat_actual, &now);
-
-  for(servI = servs.begin(); servI != servs.end(); servI++) {
-    tpserv = *servI;
-
-    nextI = tpserv->in_process.begin();
-    if (nextI == tpserv->in_process.end()) continue;
-
-    do {
-      reqI = nextI++;
-      tpreq = *reqI;
-
-      tp = TIMEVAL_MSEC_SUBTRACT(tpreq->timeout, now);
-      if (tp > 0 && tp < min_timeout) min_timeout = tp;
-
-      if (tp <= 0) {
-        tpserv->capacity = (int) (tpserv->capacity * CAPACITY_MINOR_DOWN_SCALE);
-        check_capacities(tpserv);
-        tpserv->in_process.erase(reqI);
-        tpserv->reqs_on_wire--;
-
-        // If we've tried this server enough times, move to the next one
-        if (read_timeouts[read_timeout_index][tpreq->tries] == -1) {
-          tpserv->capacity = (int) (tpserv->capacity * CAPACITY_MAJOR_DOWN_SCALE);
-          check_capacities(tpserv);
-
-          servItemp = servI;
-          servItemp++;
-
-          if (servItemp == servs.end()) servItemp = servs.begin();
-
-          tpreq->curr_server = *servItemp;
-          tpreq->tries = 0;
-          tpreq->servers_tried++;
-
-          if (tpreq->curr_server == tpreq->first_server || tpreq->servers_tried == SERVERS_TO_TRY) {
-            // Either give up on the IP
-            // or, for maximum reliability, put the server back into processing
-            // Note it's possible that this will never terminate.
-            // FIXME: Find a good compromise
-
-            // **** We've already tried all servers... give up
-            if (o.debugging >= TRACE_DEBUG_LEVEL) log_write(LOG_STDOUT, "mass_rdns: *DR*OPPING <%s>\n", tpreq->targ->targetipstr());
-
-            output_summary();
-            stat_dropped++;
-            total_reqs--;
-            delete tpreq;
-
-            // **** OR We start at the back of this server's queue
-            //(*servItemp)->to_process.push_back(tpreq);
-          } else {
-            (*servItemp)->to_process.push_back(tpreq);
-          }
-        } else {
-          tpserv->to_process.push_back(tpreq);
-        }
-
-    }
-
-    } while (nextI != tpserv->in_process.end());
-
-  }
-
-  if (min_timeout > 500) return 500;
-  else return min_timeout;
-
-}
-
-
-// Puts as many packets on the line as capacity will allow
-void do_possible_writes() {
-  std::list<dns_server *>::iterator servI;
-  dns_server *tpserv;
-  request *tpreq;
-
-  for(servI = servs.begin(); servI != servs.end(); servI++) {
-    tpserv = *servI;
-
-    if (tpserv->write_busy == 0 && tpserv->reqs_on_wire < tpserv->capacity) {
-      tpreq = NULL;
-      if (!tpserv->to_process.empty()) {
-        tpreq = tpserv->to_process.front();
-        tpserv->to_process.pop_front();
-      } else if (!new_reqs.empty()) {
-        tpreq = new_reqs.front();
-        tpreq->first_server = tpreq->curr_server = tpserv;
-        new_reqs.pop_front();
-      }
-
-      if (tpreq) {
-        if (o.debugging >= TRACE_DEBUG_LEVEL) log_write(LOG_STDOUT, "mass_rdns: TRANSMITTING for <%s> (server <%s>)\n", tpreq->targ->targetipstr() , tpserv->hostname);
-        stat_trans++;
-        put_dns_packet_on_wire(tpreq);
-      }
-    }
-
-  }
-
-}
-
-
-// nsock write handler
-void write_evt_handler(nsock_pool nsp, nsock_event evt, void *req_v) {
-  request *req = (request *) req_v;
-
-  req->curr_server->write_busy = 0;
-  req->curr_server->in_process.push_front(req);
-
-  do_possible_writes();
-}
-  
-
-
-//------------------- DNS Server handling code ---------------------
-
 // nsock connect handler - Empty because it doesn't really need to do anything...
-void connect_evt_handler(nsock_pool nsp, nsock_event evt, void *servers) {
+static void connect_evt_handler(nsock_pool nsp, nsock_event evt, void *servers) {
 }
 
 
 // Adds DNS servers to the dns_server list. They can be separated by
 // commas or spaces - NOTE this doesn't actually do any connecting!
-void add_dns_server(char *ipaddrs) {
+static void add_dns_server(char *ipaddrs) {
   std::list<dns_server *>::iterator servI;
   dns_server *tpserv;
   char *hostname;
@@ -846,21 +834,6 @@ void connect_dns_servers() {
 }
 
 
-// Closes all nsis created in connect_dns_servers()
-void close_dns_servers() {
-  std::list<dns_server *>::iterator serverI;
-
-  for(serverI = servs.begin(); serverI != servs.end(); serverI++) {
-    if ((*serverI)->connected) {
-      nsi_delete((*serverI)->nsd, NSOCK_PENDING_SILENT);
-      (*serverI)->connected = 0;
-      (*serverI)->to_process.clear();
-      (*serverI)->in_process.clear();
-    }
-  }
-
-}
-
 #ifdef WIN32
 void win32_read_registry(char *controlset) {
   HKEY hKey;
@@ -921,7 +894,7 @@ void win32_read_registry(char *controlset) {
 
 // Parses /etc/resolv.conf (unix) or the registry (win32) and adds
 // all the nameservers found via the add_dns_server() function.
-void parse_resolvdotconf() {
+static void parse_resolvdotconf() {
 
 #ifndef WIN32
 
@@ -956,7 +929,7 @@ void parse_resolvdotconf() {
 }
 
 
-void parse_etchosts(char *fname) {
+static void parse_etchosts(char *fname) {
   FILE *fp;
   char buf[2048], hname[256], ipaddrstr[16], *tp;
   struct in_addr ia;
@@ -990,7 +963,7 @@ void parse_etchosts(char *fname) {
 }
 
 
-char *lookup_etchosts(u32 ip) {
+static char *lookup_etchosts(u32 ip) {
   std::list<host_elem *>::iterator hostI;
   host_elem *tpelem;
 
@@ -1003,13 +976,41 @@ char *lookup_etchosts(u32 ip) {
 }
 
 
+static void etchosts_init(void) {
+  static int initialized = 0;
+  if (initialized) return;
+  initialized = 1;
+
+#ifdef WIN32
+  char windows_dir[1024];
+  char tpbuf[2048];
+  int has_backslash;
+
+  if (!GetWindowsDirectory(windows_dir, sizeof(windows_dir)))
+    fatal("Failed to determine your windows directory");
+
+  // If it has a backslash it's C:\, otherwise something like C:\WINNT
+  has_backslash = (windows_dir[strlen(windows_dir)-1] == '\\');
+
+  // Windows 95/98/Me:
+  snprintf(tpbuf, sizeof(tpbuf), "%s%shosts", windows_dir, has_backslash ? "" : "\\");
+  parse_etchosts(tpbuf);
+
+  // Windows NT/2000/XP/2K3:
+  snprintf(tpbuf, sizeof(tpbuf), "%s%ssystem32\\drivers\\etc\\hosts", windows_dir, has_backslash ? "" : "\\");
+  parse_etchosts(tpbuf);
+
+#else
+  parse_etchosts("/etc/hosts");
+#endif
+}
 
 
 //------------------- Main loops ---------------------
 
 
 // Actual main loop
-void nmap_mass_rdns_core(Target **targets, int num_targets) {
+static void nmap_mass_rdns_core(Target **targets, int num_targets) {
 
   Target **hostI;
   std::list<request *>::iterator reqI;
@@ -1066,32 +1067,7 @@ void nmap_mass_rdns_core(Target **targets, int num_targets) {
 
 
   // If necessary, set up the /etc/hosts hashtable
-  if (etchosts_filled == 0) {
-    #ifdef WIN32
-    char windows_dir[1024];
-    char tpbuf[2048];
-    int has_backslash;
-
-    if (!GetWindowsDirectory(windows_dir, sizeof(windows_dir)))
-      fatal("Failed to determine your windows directory");
-
-    // If it has a backslash it's C:\, otherwise something like C:\WINNT
-    has_backslash = (windows_dir[strlen(windows_dir)-1] == '\\');
-
-    // Windows 95/98/Me:
-    snprintf(tpbuf, sizeof(tpbuf), "%s%shosts", windows_dir, has_backslash ? "" : "\\");
-    parse_etchosts(tpbuf);
-
-    // Windows NT/2000/XP/2K3:
-    snprintf(tpbuf, sizeof(tpbuf), "%s%ssystem32\\drivers\\etc\\hosts", windows_dir, has_backslash ? "" : "\\");
-    parse_etchosts(tpbuf);
-
-    #else
-    parse_etchosts("/etc/hosts");
-    #endif
-
-    etchosts_filled = 1;
-  }
+  etchosts_init();
 
 
   total_reqs = 0;
diff --git a/nmap_rpc.cc b/nmap_rpc.cc
index 3241b3710..8ff57c521 100644
--- a/nmap_rpc.cc
+++ b/nmap_rpc.cc
@@ -106,7 +106,6 @@
 #include "NmapOps.h"
 
 extern NmapOps o;
-static int services_initialized = 0;
 static struct rpc_info ri;
 static int udp_rpc_socket = -1;
 static int tcp_rpc_socket = -1;
@@ -119,13 +118,16 @@ static size_t tcp_readlen=0; /* used in get_rpc_results but can be reset in
 			    send_rpc_query */
 
 static void rpc_services_init() {
+  static int services_initialized = 0;
+  if (services_initialized) return;
+  services_initialized = 1;
+
   char filename[512];
   FILE *fp;
   char *tmpptr, *p;
   char line[1024];
   int lineno = 0;
 
-  services_initialized = 1;
   ri.num_alloc = 256;
   ri.num_used = 0;
   ri.names = (char **) cp_alloc(ri.num_alloc * sizeof(char *));
@@ -182,9 +184,7 @@ static void rpc_services_init() {
 char *nmap_getrpcnamebynum(unsigned long num) {
   int i;
 
-  if (!services_initialized) {
-    rpc_services_init();
-  }
+  rpc_services_init();
 
   for(i=0; i < ri.num_used; i++) {
     if (ri.numbers[i] == num)
@@ -194,9 +194,7 @@ char *nmap_getrpcnamebynum(unsigned long num) {
 }
 
 int get_rpc_procs(unsigned long **programs, unsigned long *num_programs) {
-  if (!services_initialized) {
-    rpc_services_init();
-  }
+  rpc_services_init();
   
   *programs = ri.numbers;
   *num_programs = ri.num_used;
@@ -332,7 +330,7 @@ int send_rpc_query(const struct in_addr *target_host, unsigned short portno,
   return 0;
 }
 
-int rpc_are_we_done(char *msg, int msg_len, Target *target, 
+static int rpc_are_we_done(char *msg, int msg_len, Target *target, 
 		    struct portinfo *scan, struct scanstats *ss, 
 		    struct portinfolist *pil, struct rpcscaninfo *rsi) {
 
diff --git a/osscan.cc b/osscan.cc
index e4831814f..ba9248c6b 100644
--- a/osscan.cc
+++ b/osscan.cc
@@ -121,7 +121,7 @@ extern NmapOps o;
 
 /* Note that a sport of 0 really will (try to) use zero as the source
    port rather than choosing a random one */
-struct udpprobeinfo *send_closedudp_probe(int sd, struct eth_nfo *eth,
+static struct udpprobeinfo *send_closedudp_probe(int sd, struct eth_nfo *eth,
 					  const struct in_addr *victim,
 					  u16 sport, u16 dport) {
 
@@ -216,10 +216,6 @@ for(decoy=0; decoy < o.numdecoys; decoy++) {
     upi.patternbyte = patternbyte;
     upi.target.s_addr = ip->ip_dst.s_addr;
   }
-  if (TCPIP_DEBUGGING > 1) {
-    log_write(LOG_STDOUT, "Raw UDP packet creation completed!  Here it is:\n");
-    readudppacket(packet,1);
-  }
   
   if ((res = send_ip_packet(sd, eth, packet, ntohs(ip->ip_len))) == -1)
     {
@@ -231,652 +227,7 @@ for(decoy=0; decoy < o.numdecoys; decoy++) {
 return &upi;
 }
 
-
-FingerPrint *get_fingerprint(Target *target, struct seq_info *si) {
-FingerPrint *FP = NULL, *FPtmp = NULL;
-FingerPrint *FPtests[9];
-struct AVal *seq_AVs;
-u16 lastipid=0; /* For catching duplicate packets */
-int last;
-u32 timestamp = 0; /* TCP timestamp we receive back */
-struct ip *ip;
-struct tcphdr *tcp;
-struct icmp *icmp;
-struct timeval t1,t2;
-int i;
-pcap_t *pd = NULL;
-int rawsd;
-int tries = 0;
-int newcatches;
-int current_port = 0;
-int testsleft;
-int testno;
-int  timeout;
-int avnum;
-unsigned int sequence_base;
-unsigned long openport;
-unsigned int bytes;
-unsigned int closedport = 31337;
-Port *tport = NULL;
-char filter[512];
-double seq_inc_sum = 0;
-unsigned int  seq_avg_inc = 0;
-struct udpprobeinfo *upi = NULL;
-u32 seq_gcd = 1;
-u32 seq_diffs[NUM_SEQ_SAMPLES];
-u32 ts_diffs[NUM_SEQ_SAMPLES];
-unsigned long time_usec_diffs[NUM_SEQ_SAMPLES];
-struct timeval seq_send_times[NUM_SEQ_SAMPLES];
-int ossofttimeout, oshardtimeout;
-int seq_packets_sent = 0;
-int seq_response_num; /* response # for sequencing */
-double avg_ts_hz = 0.0; /* Avg. amount that timestamps incr. each second */
-struct link_header linkhdr;
-struct eth_nfo eth;
-struct eth_nfo *ethptr; // for passing to send_ functions 
-
-if (target->timedOut(NULL))
-  return NULL;
-
-/* The seqs must start out as zero for the si struct */
-memset(si->seqs, 0, sizeof(si->seqs));
-si->ipid_seqclass = IPID_SEQ_UNKNOWN;
-si->ts_seqclass = TS_SEQ_UNKNOWN;
-si->lastboot = 0;
-
-/* Init our fingerprint tests to each be NULL */
-memset(FPtests, 0, sizeof(FPtests)); 
-get_random_bytes(&sequence_base, sizeof(unsigned int));
- if ((o.sendpref & PACKET_SEND_ETH) &&  target->ifType() == devt_ethernet) {
-   memcpy(eth.srcmac, target->SrcMACAddress(), 6);
-   memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
-   eth.ethsd = eth_open(target->deviceName());
-   if (eth.ethsd == NULL)
-     fatal("%s: Failed to open ethernet device (%s)", __FUNCTION__, target->deviceName());
-
-   rawsd = -1;
-   ethptr = &eth;
-  } else {
-    /* Init our raw socket */
-    if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
-      pfatal("socket troubles in get_fingerprint");
-    unblock_socket(rawsd);
-    broadcast_socket(rawsd);
-#ifndef WIN32
-    sethdrinclude(rawsd);
-#endif
-    ethptr = NULL;
-    eth.ethsd = NULL;
-  }
-
- /* Now for the pcap opening nonsense ... */
- /* Note that the snaplen is 152 = 64 byte max IPhdr + 24 byte max link_layer
-  * header + 64 byte max TCP header.  Had to up it for UDP test
-  */
-
-ossofttimeout = MAX(200000, target->to.timeout);
-oshardtimeout = MAX(500000, 5 * target->to.timeout);
-
- pd = my_pcap_open_live(target->deviceName(), /*650*/ 8192,  (o.spoofsource)? 1 : 0, (ossofttimeout + 500)/ 1000);
-
-if (o.debugging > 1)
-   log_write(LOG_STDOUT, "Wait time is %dms\n", (ossofttimeout +500)/1000);
-
-snprintf(filter, sizeof(filter), "dst host %s and (icmp or (tcp and src host %s))", inet_ntoa(target->v4source()), target->targetipstr());
- 
- set_pcap_filter(target->deviceName(), pd, filter);
- target->osscan_performed = 1; /* Let Nmap know that we did try an OS scan */
-
- /* Lets find an open port to use */
- openport = (unsigned long) -1;
- target->FPR->osscan_opentcpport = -1;
- target->FPR->osscan_closedtcpport = -1;
- tport = NULL;
- if ((tport = target->ports.nextPort(NULL, IPPROTO_TCP, PORT_OPEN, false))) {
-   openport = tport->portno;
-   target->FPR->osscan_opentcpport = tport->portno;
- }
- 
- /* Now we should find a closed port */
- if ((tport = target->ports.nextPort(NULL, IPPROTO_TCP, PORT_CLOSED, false))) {
-   closedport = tport->portno;
-   target->FPR->osscan_closedtcpport = tport->portno;
- } else if ((tport = target->ports.nextPort(NULL, IPPROTO_TCP, PORT_UNFILTERED, false))) {
-   /* Well, we will settle for unfiltered */
-   closedport = tport->portno;
- } else {
-   closedport = (get_random_uint() % 14781) + 30000;
- }
-
-if (o.verbose && openport != (unsigned long) -1)
-  log_write(LOG_STDOUT, "For OSScan assuming port %lu is open, %d is closed, and neither are firewalled\n", openport, closedport);
-
- current_port = o.magic_port + NUM_SEQ_SAMPLES +1;
- 
- /* Now lets do the NULL packet technique */
- testsleft = (openport == (unsigned long) -1)? 4 : 8;
- FPtmp = NULL;
- tries = 0;
- do { 
-   newcatches = 0;
-   if (openport != (unsigned long) -1) {   
-     /* Test 1 */
-     if (!FPtests[1]) {     
-       if (o.scan_delay) enforce_scan_delay(NULL);
-       send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
-			   current_port, openport, sequence_base, 0, 
-			   TH_ECE|TH_SYN, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
-     }
-     
-     /* Test 2 */
-     if (!FPtests[2]) {     
-       if (o.scan_delay) enforce_scan_delay(NULL);
-       send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
-			   current_port +1, 
-			   openport, sequence_base, 0,0, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
-     }
-
-     /* Test 3 */
-     if (!FPtests[3]) {     
-       if (o.scan_delay) enforce_scan_delay(NULL);
-       send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, current_port +2, 
-			   openport, sequence_base, 0,TH_SYN|TH_FIN|TH_URG|TH_PUSH, 0,(u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
-     }
-
-     /* Test 4 */
-     if (!FPtests[4]) {     
-       if (o.scan_delay) enforce_scan_delay(NULL);
-       send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
-			   current_port +3, 
-			   openport, sequence_base, 0,TH_ACK, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
-     }
-   }
-   
-   /* Test 5 */
-   if (!FPtests[5]) {   
-     if (o.scan_delay) enforce_scan_delay(NULL);
-     send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
-			 current_port +4,
-			 closedport, sequence_base, 0,TH_SYN, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
-   }
-
-     /* Test 6 */
-   if (!FPtests[6]) {   
-     if (o.scan_delay) enforce_scan_delay(NULL);
-     send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
-			 current_port +5, 
-			 closedport, sequence_base, 0,TH_ACK, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
-   }
-
-     /* Test 7 */
-   if (!FPtests[7]) {
-     if (o.scan_delay) enforce_scan_delay(NULL);   
-     send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
-			 current_port +6, 
-			 closedport, sequence_base, 0,TH_FIN|TH_PUSH|TH_URG, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
-   }
-
-   /* Test 8 */
-   if (!FPtests[8]) {
-     if (o.scan_delay) enforce_scan_delay(NULL);
-     upi = send_closedudp_probe(rawsd, ethptr, target->v4hostip(), o.magic_port, closedport);
-   }
-   gettimeofday(&t1, NULL);
-   timeout = 0;
-
-   /* Insure we haven't overrun our allotted time ... */
-   if (target->timedOut(&t1))
-     goto osscan_timedout;
-
-   while(( ip = (struct ip*) readip_pcap(pd, &bytes, oshardtimeout, NULL, &linkhdr)) && !timeout) {
-     gettimeofday(&t2, NULL);
-     if (TIMEVAL_SUBTRACT(t2,t1) > oshardtimeout) {
-       timeout = 1;
-     }
-
-     if (target->timedOut(&t2))
-       goto osscan_timedout;
-
-     if (bytes < (4 * ip->ip_hl) + 4U || bytes < 20)
-       continue;
-     setTargetMACIfAvailable(target, &linkhdr, ip, 0);
-     if (ip->ip_p == IPPROTO_TCP) {
-       tcp = ((struct tcphdr *) (((char *) ip) + 4 * ip->ip_hl));
-       testno = ntohs(tcp->th_dport) - current_port + 1;
-       if (testno <= 0 || testno > 7)
-	 continue;
-       if (o.debugging > 1)
-	 log_write(LOG_STDOUT, "Got packet for test number %d\n", testno);
-       if (FPtests[testno]) continue;
-       testsleft--;
-       newcatches++;
-       FPtests[testno] = (FingerPrint *) safe_zalloc(sizeof(FingerPrint));
-       FPtests[testno]->results = fingerprint_iptcppacket(ip, 265, sequence_base);
-       FPtests[testno]->name = (testno == 1)? "T1" : (testno == 2)? "T2" : (testno == 3)? "T3" : (testno == 4)? "T4" : (testno == 5)? "T5" : (testno == 6)? "T6" : (testno == 7)? "T7" : "PU";
-     } else if (ip->ip_p == IPPROTO_ICMP) {
-       icmp = ((struct icmp *)  (((char *) ip) + 4 * ip->ip_hl));
-       /* It must be a destination port unreachable */
-       if (icmp->icmp_type != 3 || icmp->icmp_code != 3) {
-	 /* This ain't no stinking port unreachable! */
-	 continue;
-       }
-       if (bytes < (unsigned int) ntohs(ip->ip_len)) {
-	 error("We only got %d bytes out of %d on our ICMP port unreachable packet, skipping", bytes, ntohs(ip->ip_len));
-	 continue;
-       }
-       if (FPtests[8]) continue;
-       FPtests[8] = (FingerPrint *) safe_zalloc(sizeof(FingerPrint));
-       FPtests[8]->results = fingerprint_portunreach(ip, upi);
-       if (FPtests[8]->results) {       
-	 FPtests[8]->name = "PU";
-	 testsleft--;
-	 newcatches++;
-       } else {
-	 free(FPtests[8]);
-	 FPtests[8] = NULL;
-       }
-     }
-    if (testsleft == 0)
-      break;
-   }     
- } while ( testsleft > 0 && (tries++ < 5 && (newcatches || tries == 1)));
-
- si->responses = 0;
- timeout = 0; 
- gettimeofday(&t1,NULL);
- /* Next we send our initial NUM_SEQ_SAMPLES SYN packets  */
- if (openport != (unsigned long) -1) {
-   seq_packets_sent = 0;
-   while (seq_packets_sent < NUM_SEQ_SAMPLES) {
-     if (o.scan_delay) enforce_scan_delay(NULL);
-     if (seq_packets_sent > 0) {
-       gettimeofday(&t1, NULL);
-       int remaining_us = 110000 - TIMEVAL_SUBTRACT(t1, seq_send_times[seq_packets_sent - 1]);
-       if (remaining_us > 0) {
-	 /* Need to spend at least .5 seconds in sending all packets to
-	    reliably detect 2HZ timestamp sequencing */
-	 usleep(remaining_us);
-       }
-     }
-     send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
-			 o.magic_port + seq_packets_sent + 1, 
-			 openport, 
-			 sequence_base + seq_packets_sent + 1, 0, 
-			 TH_SYN, 0 , (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
-     gettimeofday(&seq_send_times[seq_packets_sent], NULL);
-     t1 = seq_send_times[seq_packets_sent];
-     seq_packets_sent++;
-   
-     /* Now we collect the replies */
-     while(si->responses < seq_packets_sent && !timeout) {
-       
-       if (seq_packets_sent == NUM_SEQ_SAMPLES)
-	 ip = (struct ip*) readip_pcap(pd, &bytes, oshardtimeout, NULL, &linkhdr);
-       else ip = (struct ip*) readip_pcap(pd, &bytes, 10, NULL, &linkhdr);
-       
-       gettimeofday(&t2, NULL);
-       /*     error("DEBUG: got a response (len=%d):\n", bytes);  */
-       /*     lamont_hdump((unsigned char *) ip, bytes); */
-       /* Insure we haven't overrun our allotted time ... */
-       if (target->timedOut(&t2))
-	 goto osscan_timedout;
-
-       if (!ip) { 
-	 if (seq_packets_sent < NUM_SEQ_SAMPLES)
-	   break;
-	 if (TIMEVAL_SUBTRACT(t2,t1) > ossofttimeout)
-	   timeout = 1;
-	 continue; 
-       } else if (TIMEVAL_SUBTRACT(t2,t1) > oshardtimeout) {
-	 timeout = 1;
-       }		  
-       if (lastipid != 0 && ip->ip_id == lastipid) {
-	 /* Probably a duplicate -- this happens sometimes when scanning localhost */
-	 continue;
-       }
-       lastipid = ip->ip_id;
-
-       if (bytes < (4 * ip->ip_hl) + 4U || bytes < 20)
-	 continue;
-       setTargetMACIfAvailable(target, &linkhdr, ip, 0);
-       if (ip->ip_p == IPPROTO_TCP) {
-	 /*       readtcppacket((char *) ip, ntohs(ip->ip_len));  */
-	 tcp = ((struct tcphdr *) (((char *) ip) + 4 * ip->ip_hl));
-	 if (ntohs(tcp->th_dport) < o.magic_port || 
-	     ntohs(tcp->th_dport) - o.magic_port > NUM_SEQ_SAMPLES || 
-	     ntohs(tcp->th_sport) != openport) {
-	   continue;
-	 }
-	 if ((tcp->th_flags & TH_RST)) {
-	   /*	 readtcppacket((char *) ip, ntohs(ip->ip_len));*/	 
-	   if (si->responses == 0) {	 
-	     fprintf(stderr, "WARNING:  RST from port %lu -- is this port really open?\n", openport);
-	     /* We used to quit in this case, but left-overs from a SYN
-		scan or lame-ass TCP wrappers can cause this! */
-	   } 
-	   continue;
-	 } else if ((tcp->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) {
-	   /*	error("DEBUG: response is SYN|ACK to port %hu\n", ntohs(tcp->th_dport)); */
-	   /*readtcppacket((char *)ip, ntohs(ip->ip_len));*/
-	   /* We use the ACK value to match up our sent with rcv'd packets */
-	   seq_response_num = (ntohl(tcp->th_ack) - 2 - 
-			       sequence_base); 
-	   if (seq_response_num < 0 || seq_response_num >= seq_packets_sent) {
-	     /* BzzT! Value out of range */
-	     if (o.debugging) {
-	       error("Unable to associate os scan response with sent packet (received ack: %lX; sequence base: %lX. Packet:", (unsigned long) ntohl(tcp->th_ack), (unsigned long) sequence_base);
-	       readtcppacket((unsigned char *)ip,ntohs(ip->ip_len));
-	     }
-	     seq_response_num = si->responses;
-	   }
-	   if (si->seqs[seq_response_num] == 0) {
-	     /* New response found! */
-	     si->responses++;
-	     si->seqs[seq_response_num] = ntohl(tcp->th_seq); /* TCP ISN */
-	     si->ipids[seq_response_num] = ntohs(ip->ip_id);
-	     if ((gettcpopt_ts(tcp, &timestamp, NULL) == 0))
-	       si->ts_seqclass = TS_SEQ_UNSUPPORTED;
-	     else {
-	       if (timestamp == 0) {
-		 si->ts_seqclass = TS_SEQ_ZERO;
-	       }
-	     }
-	     si->timestamps[seq_response_num] = timestamp;
-	     /*           printf("Response #%d -- ipid=%hu ts=%i\n", seq_response_num, ntohs(ip->ip_id), timestamp); */
-	     if (si->responses > 1) {
-	       seq_diffs[si->responses-2] = MOD_DIFF(ntohl(tcp->th_seq), si->seqs[si->responses-2]);
-	     }
-	   }
-	 }
-       }
-     }
-   }
-
-   /* Now we make sure there are no gaps in our response array ... */
-   for(i=0, si->responses=0; i < seq_packets_sent; i++) {
-     if (si->seqs[i] != 0) /* We found a good one */ {
-       if (si->responses < i) {
-	 si->seqs[si->responses] = si->seqs[i];
-	 si->ipids[si->responses] = si->ipids[i];
-	 si->timestamps[si->responses] = si->timestamps[i];
-	 seq_send_times[si->responses] = seq_send_times[i];
-       }
-       if (si->responses > 0) {
-	 seq_diffs[si->responses - 1] = MOD_DIFF(si->seqs[si->responses], si->seqs[si->responses - 1]);
-	 ts_diffs[si->responses - 1] = MOD_DIFF(si->timestamps[si->responses], si->timestamps[si->responses - 1]);
-	 time_usec_diffs[si->responses - 1] = TIMEVAL_SUBTRACT(seq_send_times[si->responses], seq_send_times[si->responses - 1]);
-	 if (!time_usec_diffs[si->responses - 1]) time_usec_diffs[si->responses - 1]++; /* We divide by this later */
-	 /*	 printf("MOD_DIFF_USHORT(%hu, %hu) == %hu\n", si->ipids[si->responses], si->ipids[si->responses - 1], MOD_DIFF_USHORT(si->ipids[si->responses], si->ipids[si->responses - 1])); */
-       }
-
-       si->responses++;
-     } /* Otherwise nothing good in this slot to copy */
-   }
-     
-
-   si->ipid_seqclass = ipid_sequence(si->responses, si->ipids, 
-				     islocalhost(target->v4hostip()));
-
-   /* Now we look at TCP Timestamp sequence prediction */
-   /* Battle plan:
-      1) Compute average increments per second, and variance in incr. per second 
-      2) If any are 0, set to constant
-      3) If variance is high, set to random incr. [ skip for now ]
-      4) if ~10/second, set to appropriate thing
-      5) Same with ~100/sec
-   */
-   if (si->ts_seqclass == TS_SEQ_UNKNOWN && si->responses >= 2) {
-     avg_ts_hz = 0.0;
-     for(i=0; i < si->responses - 1; i++) {
-       double dhz;
-
-       dhz = (double) ts_diffs[i] / (time_usec_diffs[i] / 1000000.0);
-       /*       printf("ts incremented by %d in %li usec -- %fHZ\n", ts_diffs[i], time_usec_diffs[i], dhz); */
-       avg_ts_hz += dhz / ( si->responses - 1);
-     }
-
-     if (o.debugging)
-       printf("The avg TCP TS HZ is: %f\n", avg_ts_hz);
-     
-     if (avg_ts_hz > 0 && avg_ts_hz < 3.9) { /* relatively wide range because sampling time so short and frequency so slow */
-       si->ts_seqclass = TS_SEQ_2HZ;
-       si->lastboot = seq_send_times[0].tv_sec - (si->timestamps[0] / 2); 
-     }
-     else if (avg_ts_hz > 85 && avg_ts_hz < 115) {
-       si->ts_seqclass = TS_SEQ_100HZ;
-       si->lastboot = seq_send_times[0].tv_sec - (si->timestamps[0] / 100); 
-     }
-     else if (avg_ts_hz > 900 && avg_ts_hz < 1100) {
-       si->ts_seqclass = TS_SEQ_1000HZ;
-       si->lastboot = seq_send_times[0].tv_sec - (si->timestamps[0] / 1000); 
-     }
-     if (si->lastboot && (seq_send_times[0].tv_sec - si->lastboot > 63072000))
-       {
-	 /* Up 2 years?  Perhaps, but they're probably lying. */
-	 if (o.debugging) {
-	   error("Ignoring claimed uptime of %lu days", 
-		 (seq_send_times[0].tv_sec - si->lastboot) / 86400);
-	 }
-	 si->lastboot = 0;
-       }
-   }
-   
-   /* Time to look at the TCP ISN predictability */
-   if (si->responses >= 4 && o.scan_delay <= 1000) {
-     seq_gcd = gcd_n_uint(si->responses -1, seq_diffs);
-     /*     printf("The GCD is %u\n", seq_gcd);*/
-     if (seq_gcd) {     
-       for(i=0; i < si->responses - 1; i++)
-	 seq_diffs[i] /= seq_gcd;
-       for(i=0; i < si->responses - 1; i++) {     
-	 if (MOD_DIFF(si->seqs[i+1],si->seqs[i]) > 50000000) {
-	   si->seqclass = SEQ_TR;
-	   si->index = 9999999;
-	   /*	 printf("Target is a TR box\n");*/
-	   break;
-	 }	
-	 seq_avg_inc += seq_diffs[i];
-       }
-     }
-     if (seq_gcd == 0) {
-       si->seqclass = SEQ_CONSTANT;
-       si->index = 0;
-     } else if (seq_gcd % 64000 == 0) {
-       si->seqclass = SEQ_64K;
-       /*       printf("Target is a 64K box\n");*/
-       si->index = 1;
-     } else if (seq_gcd % 800 == 0) {
-       si->seqclass = SEQ_i800;
-       /*       printf("Target is a i800 box\n");*/
-       si->index = 10;
-     } else if (si->seqclass == SEQ_UNKNOWN) {
-       seq_avg_inc = (unsigned int) ((0.5) + seq_avg_inc / (si->responses - 1));
-       /*       printf("seq_avg_inc=%u\n", seq_avg_inc);*/
-       for(i=0; i < si->responses -1; i++)       {     
-
-	 /*	 printf("The difference is %u\n", seq_diffs[i]);
-		 printf("Adding %u^2=%e", MOD_DIFF(seq_diffs[i], seq_avg_inc), pow(MOD_DIFF(seq_diffs[i], seq_avg_inc), 2));*/
-	 /* pow() seems F#@!#$!ed up on some Linux systems so I will
-	    not use it for now 
-  	    seq_inc_sum += pow(MOD_DIFF(seq_diffs[i], seq_avg_inc), 2);
-	 */	 
-	 
-	 seq_inc_sum += ((double)(MOD_DIFF(seq_diffs[i], seq_avg_inc)) * ((double)MOD_DIFF(seq_diffs[i], seq_avg_inc)));
-	 /*	 seq_inc_sum += pow(MOD_DIFF(seq_diffs[i], seq_avg_inc), 2);*/
-
-       }
-       /*       printf("The sequence sum is %e\n", seq_inc_sum);*/
-       seq_inc_sum /= (si->responses - 1);
-
-       /* Some versions of Linux libc seem to have broken pow ... so we
-	  avoid it */
-#ifdef LINUX       
-       si->index = (unsigned int) (0.5 + sqrt(seq_inc_sum));
-#else
-       si->index = (unsigned int) (0.5 + pow(seq_inc_sum, 0.5));
-#endif
-
-       /*       printf("The sequence index is %d\n", si->index);*/
-       if (si->index < 75) {
-	 si->seqclass = SEQ_TD;
-	 /*	 printf("Target is a Micro$oft style time dependant box\n");*/
-       }
-       else {
-	 si->seqclass = SEQ_RI;
-	 /*	 printf("Target is a random incremental box\n");*/
-       }
-     }
-     FPtests[0] = (FingerPrint *) safe_zalloc(sizeof(FingerPrint));
-     FPtests[0]->name = "TSeq";
-     seq_AVs = (struct AVal *) safe_zalloc(sizeof(struct AVal) * 5);
-     FPtests[0]->results = seq_AVs;
-     avnum = 0;
-     seq_AVs[avnum].attribute = "Class";
-     switch(si->seqclass) {
-     case SEQ_CONSTANT:
-       strcpy(seq_AVs[avnum].value, "C");
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute= "Val";     
-       sprintf(seq_AVs[avnum].value, "%X", si->seqs[0]);
-       break;
-     case SEQ_64K:
-       strcpy(seq_AVs[avnum].value, "64K");      
-       break;
-     case SEQ_i800:
-       strcpy(seq_AVs[avnum].value, "i800");
-       break;
-     case SEQ_TD:
-       strcpy(seq_AVs[avnum].value, "TD");
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute= "gcd";     
-       sprintf(seq_AVs[avnum].value, "%X", seq_gcd);
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute="SI";
-       sprintf(seq_AVs[avnum].value, "%X", si->index);
-       break;
-     case SEQ_RI:
-       strcpy(seq_AVs[avnum].value, "RI");
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute= "gcd";     
-       sprintf(seq_AVs[avnum].value, "%X", seq_gcd);
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute="SI";
-       sprintf(seq_AVs[avnum].value, "%X", si->index);
-       break;
-     case SEQ_TR:
-       strcpy(seq_AVs[avnum].value, "TR");
-       break;
-     }
-
-     /* IP ID Class */
-     switch(si->ipid_seqclass) {
-     case IPID_SEQ_CONSTANT:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "IPID";
-       strcpy(seq_AVs[avnum].value, "C");
-       break;
-     case IPID_SEQ_INCR:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "IPID";
-       strcpy(seq_AVs[avnum].value, "I");
-       break;
-     case IPID_SEQ_BROKEN_INCR:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "IPID";
-       strcpy(seq_AVs[avnum].value, "BI");
-       break;
-     case IPID_SEQ_RPI:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "IPID";
-       strcpy(seq_AVs[avnum].value, "RPI");
-       break;
-     case IPID_SEQ_RD:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "IPID";
-       strcpy(seq_AVs[avnum].value, "RD");
-       break;
-     case IPID_SEQ_ZERO:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "IPID";
-       strcpy(seq_AVs[avnum].value, "Z");
-       break;
-     }
-
-     /* TCP Timestamp option sequencing */
-     switch(si->ts_seqclass) {
-     case TS_SEQ_ZERO:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "TS";
-       strcpy(seq_AVs[avnum].value, "0");
-       break;
-     case TS_SEQ_2HZ:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "TS";
-       strcpy(seq_AVs[avnum].value, "2HZ");
-       break;
-     case TS_SEQ_100HZ:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "TS";
-       strcpy(seq_AVs[avnum].value, "100HZ");
-       break;
-     case TS_SEQ_1000HZ:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "TS";
-       strcpy(seq_AVs[avnum].value, "1000HZ");
-       break;
-     case TS_SEQ_UNSUPPORTED:
-       seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
-       seq_AVs[avnum].attribute = "TS";
-       strcpy(seq_AVs[avnum].value, "U");
-       break;
-     }
-   }
-   else {
-     log_write(LOG_STDOUT|LOG_NORMAL|LOG_SKID,"Insufficient responses for TCP sequencing (%d), OS detection may be less accurate\n", si->responses);
-   }
- } else {
- }
-
-for(i=0; i < 9; i++) {
-  if (i > 0 && !FPtests[i] && ((openport != (unsigned long) -1) || i > 4)) {
-    /* We create a Resp (response) attribute with value of N (no) because
-       it is important here to note whether responses were or were not 
-       received */
-    FPtests[i] = (FingerPrint *) safe_zalloc(sizeof(FingerPrint));
-    seq_AVs = (struct AVal *) safe_zalloc(sizeof(struct AVal));
-    seq_AVs->attribute = "Resp";
-    strcpy(seq_AVs->value, "N");
-    seq_AVs->next = NULL;
-    FPtests[i]->results = seq_AVs;
-    FPtests[i]->name =  (i == 1)? "T1" : (i == 2)? "T2" : (i == 3)? "T3" : (i == 4)? "T4" : (i == 5)? "T5" : (i == 6)? "T6" : (i == 7)? "T7" : "PU";
-  }
-}
- last = -1;
- FP = NULL;
- for(i=0; i < 9 ; i++) {
-   if (!FPtests[i]) continue; 
-   if (!FP) FP = FPtests[i];
-   if (last > -1) {
-     FPtests[last]->next = FPtests[i];    
-   }
-   last = i;
- }
- if (last) FPtests[last]->next = NULL;
- 
- osscan_timedout:
- if (target->timedOut(NULL))
-   FP = NULL;
- if (rawsd >= 0)
-   close(rawsd);
- if (ethptr) {
-   eth_close(ethptr->ethsd);
- }
- pcap_close(pd);
- return FP;
-}
-
-
-struct AVal *fingerprint_iptcppacket(struct ip *ip, int mss, u32 syn) {
+static struct AVal *fingerprint_iptcppacket(struct ip *ip, int mss, u32 syn) {
   struct AVal *AVs;
   int length;
   int opcode;
@@ -980,6 +331,800 @@ struct AVal *fingerprint_iptcppacket(struct ip *ip, int mss, u32 syn) {
   return AVs;
 }
 
+
+static struct AVal *fingerprint_portunreach(struct ip *ip, struct udpprobeinfo *upi) {
+  struct icmp *icmp;
+  struct ip *ip2;
+  int numtests = 10;
+  unsigned short checksum;
+  unsigned short *checksumptr;
+  udphdr_bsd *udp;
+  struct AVal *AVs;
+  int i;
+  int current_testno = 0;
+  unsigned char *datastart, *dataend;
+
+  /* The very first thing we do is make sure this is the correct
+     response */
+  if (ip->ip_p != IPPROTO_ICMP) {
+    error("fingerprint_portunreach handed a non-ICMP packet!");
+    return NULL;
+  }
+
+  if (ip->ip_src.s_addr != upi->target.s_addr)
+    return NULL;  /* Not the person we sent to */
+
+  icmp = ((struct icmp *)  (((char *) ip) + 4 * ip->ip_hl));
+  if (icmp->icmp_type != 3 || icmp->icmp_code != 3)
+    return NULL; /* Not a port unreachable */
+
+  ip2 = (struct ip*) ((char *)icmp + 8);
+  udp = (udphdr_bsd *) ((char *)ip2 + 20);
+
+  /* The ports better match as well ... */
+  if (ntohs(udp->uh_sport) != upi->sport || ntohs(udp->uh_dport) != upi->dport) {
+    return NULL;
+  }
+
+  /* Create the Avals */
+  AVs = (struct AVal *) safe_zalloc(numtests * sizeof(struct AVal));
+
+  /* Link them together */
+  for(i=0; i < numtests - 1; i++)
+    AVs[i].next = &AVs[i+1];
+
+  /* First of all, if we got this far the response was yes */
+  AVs[current_testno].attribute = "Resp";
+  strcpy(AVs[current_testno].value, "Y");
+
+  current_testno++;
+
+  /* Now let us do an easy one, Don't fragment */
+  AVs[current_testno].attribute = "DF";
+  if(ntohs(ip->ip_off) & 0x4000) {
+    strcpy(AVs[current_testno].value,"Y");
+  } else strcpy(AVs[current_testno].value, "N");
+
+  current_testno++;
+
+  /* Now lets do TOS of the response (note, I've never seen this be
+     useful */
+  AVs[current_testno].attribute = "TOS";
+  sprintf(AVs[current_testno].value, "%hX", ip->ip_tos);
+
+  current_testno++;
+
+  /* Now we look at the IP datagram length that was returned, some
+     machines send more of the original packet back than others */
+  AVs[current_testno].attribute = "IPLEN";
+  sprintf(AVs[current_testno].value, "%hX", ntohs(ip->ip_len));
+
+  current_testno++;
+
+  /* OK, lets check the returned IP length, some systems @$@ this
+     up */
+  AVs[current_testno].attribute = "RIPTL";
+  sprintf(AVs[current_testno].value, "%hX", ntohs(ip2->ip_len));
+
+  current_testno++;
+
+  /* This next test doesn't work on Solaris because the lamers
+     overwrite our ip_id */
+#if !defined(SOLARIS) && !defined(SUNOS) && !defined(IRIX) && !defined(HPUX)
+
+  /* Now lets see how they treated the ID we sent ... */
+  AVs[current_testno].attribute = "RID";
+  if (ntohs(ip2->ip_id) == 0)
+    strcpy(AVs[current_testno].value, "0");
+  else if (ip2->ip_id == upi->ipid)
+    strcpy(AVs[current_testno].value, "E"); /* The "expected" value */
+  else strcpy(AVs[current_testno].value, "F"); /* They fucked it up */
+
+  current_testno++;
+
+#endif
+
+  /* Let us see if the IP checksum we got back computes */
+
+  AVs[current_testno].attribute = "RIPCK";
+  /* Thanks to some machines not having struct ip member ip_sum we
+     have to go with this BS */
+  checksumptr = (unsigned short *)   ((char *) ip2 + 10);
+  checksum =   *checksumptr;
+
+  if (checksum == 0)
+    strcpy(AVs[current_testno].value, "0");
+  else {
+    *checksumptr = 0;
+    if (in_cksum((unsigned short *)ip2, 20) == checksum) {
+      strcpy(AVs[current_testno].value, "E"); /* The "expected" value */
+    } else {
+      strcpy(AVs[current_testno].value, "F"); /* They fucked it up */
+    }
+    *checksumptr = checksum;
+  }
+
+  current_testno++;
+
+  /* UDP checksum */
+  AVs[current_testno].attribute = "UCK";
+  if (udp->uh_sum == 0)
+    strcpy(AVs[current_testno].value, "0");
+  else if (udp->uh_sum == upi->udpck)
+    strcpy(AVs[current_testno].value, "E"); /* The "expected" value */
+  else strcpy(AVs[current_testno].value, "F"); /* They fucked it up */
+
+  current_testno++;
+
+  /* UDP length ... */
+  AVs[current_testno].attribute = "ULEN";
+  sprintf(AVs[current_testno].value, "%hX", ntohs(udp->uh_ulen));
+
+  current_testno++;
+
+  /* Finally we ensure the data is OK */
+  datastart = ((unsigned char *)udp) + 8;
+  dataend = (unsigned char *)  ip + ntohs(ip->ip_len);
+
+  while(datastart < dataend) {
+    if (*datastart != upi->patternbyte) break;
+    datastart++;
+  }
+  AVs[current_testno].attribute = "DAT";
+  if (datastart < dataend)
+    strcpy(AVs[current_testno].value, "F"); /* They fucked it up */
+  else  
+    strcpy(AVs[current_testno].value, "E");
+
+  AVs[current_testno].next = NULL;
+
+  return AVs;
+}
+
+static FingerPrint *get_fingerprint(Target *target, struct seq_info *si) {
+  FingerPrint *FP = NULL, *FPtmp = NULL;
+  FingerPrint *FPtests[9];
+  struct AVal *seq_AVs;
+  u16 lastipid=0; /* For catching duplicate packets */
+  int last;
+  u32 timestamp = 0; /* TCP timestamp we receive back */
+  struct ip *ip;
+  struct tcphdr *tcp;
+  struct icmp *icmp;
+  struct timeval t1,t2;
+  int i;
+  pcap_t *pd = NULL;
+  int rawsd;
+  int tries = 0;
+  int newcatches;
+  int current_port = 0;
+  int testsleft;
+  int testno;
+  int  timeout;
+  int avnum;
+  unsigned int sequence_base;
+  unsigned long openport;
+  unsigned int bytes;
+  unsigned int closedport = 31337;
+  Port *tport = NULL;
+  char filter[512];
+  double seq_inc_sum = 0;
+  unsigned int  seq_avg_inc = 0;
+  struct udpprobeinfo *upi = NULL;
+  u32 seq_gcd = 1;
+  u32 seq_diffs[NUM_SEQ_SAMPLES];
+  u32 ts_diffs[NUM_SEQ_SAMPLES];
+  unsigned long time_usec_diffs[NUM_SEQ_SAMPLES];
+  struct timeval seq_send_times[NUM_SEQ_SAMPLES];
+  int ossofttimeout, oshardtimeout;
+  int seq_packets_sent = 0;
+  int seq_response_num; /* response # for sequencing */
+  double avg_ts_hz = 0.0; /* Avg. amount that timestamps incr. each second */
+  struct link_header linkhdr;
+  struct eth_nfo eth;
+  struct eth_nfo *ethptr; // for passing to send_ functions 
+
+  if (target->timedOut(NULL))
+    return NULL;
+
+  /* The seqs must start out as zero for the si struct */
+  memset(si->seqs, 0, sizeof(si->seqs));
+  si->ipid_seqclass = IPID_SEQ_UNKNOWN;
+  si->ts_seqclass = TS_SEQ_UNKNOWN;
+  si->lastboot = 0;
+
+  /* Init our fingerprint tests to each be NULL */
+  memset(FPtests, 0, sizeof(FPtests)); 
+  get_random_bytes(&sequence_base, sizeof(unsigned int));
+  if ((o.sendpref & PACKET_SEND_ETH) &&  target->ifType() == devt_ethernet) {
+    memcpy(eth.srcmac, target->SrcMACAddress(), 6);
+    memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
+    eth.ethsd = eth_open(target->deviceName());
+    if (eth.ethsd == NULL)
+      fatal("%s: Failed to open ethernet device (%s)", __FUNCTION__, target->deviceName());
+
+    rawsd = -1;
+    ethptr = &eth;
+  } else {
+    /* Init our raw socket */
+    if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
+      pfatal("socket troubles in get_fingerprint");
+    unblock_socket(rawsd);
+    broadcast_socket(rawsd);
+#ifndef WIN32
+    sethdrinclude(rawsd);
+#endif
+    ethptr = NULL;
+    eth.ethsd = NULL;
+  }
+
+  /* Now for the pcap opening nonsense ... */
+  /* Note that the snaplen is 152 = 64 byte max IPhdr + 24 byte max link_layer
+   * header + 64 byte max TCP header.  Had to up it for UDP test
+   */
+
+  ossofttimeout = MAX(200000, target->to.timeout);
+  oshardtimeout = MAX(500000, 5 * target->to.timeout);
+
+  pd = my_pcap_open_live(target->deviceName(), /*650*/ 8192,  (o.spoofsource)? 1 : 0, (ossofttimeout + 500)/ 1000);
+
+  if (o.debugging > 1)
+    log_write(LOG_STDOUT, "Wait time is %dms\n", (ossofttimeout +500)/1000);
+
+  snprintf(filter, sizeof(filter), "dst host %s and (icmp or (tcp and src host %s))", inet_ntoa(target->v4source()), target->targetipstr());
+ 
+  set_pcap_filter(target->deviceName(), pd, filter);
+  target->osscan_performed = 1; /* Let Nmap know that we did try an OS scan */
+
+  /* Lets find an open port to use */
+  openport = (unsigned long) -1;
+  target->FPR->osscan_opentcpport = -1;
+  target->FPR->osscan_closedtcpport = -1;
+  tport = NULL;
+  if ((tport = target->ports.nextPort(NULL, IPPROTO_TCP, PORT_OPEN, false))) {
+    openport = tport->portno;
+    target->FPR->osscan_opentcpport = tport->portno;
+  }
+ 
+  /* Now we should find a closed port */
+  if ((tport = target->ports.nextPort(NULL, IPPROTO_TCP, PORT_CLOSED, false))) {
+    closedport = tport->portno;
+    target->FPR->osscan_closedtcpport = tport->portno;
+  } else if ((tport = target->ports.nextPort(NULL, IPPROTO_TCP, PORT_UNFILTERED, false))) {
+    /* Well, we will settle for unfiltered */
+    closedport = tport->portno;
+  } else {
+    closedport = (get_random_uint() % 14781) + 30000;
+  }
+
+  if (o.verbose && openport != (unsigned long) -1)
+    log_write(LOG_STDOUT, "For OSScan assuming port %lu is open, %d is closed, and neither are firewalled\n", openport, closedport);
+
+  current_port = o.magic_port + NUM_SEQ_SAMPLES +1;
+ 
+  /* Now lets do the NULL packet technique */
+  testsleft = (openport == (unsigned long) -1)? 4 : 8;
+  FPtmp = NULL;
+  tries = 0;
+  do { 
+    newcatches = 0;
+    if (openport != (unsigned long) -1) {   
+      /* Test 1 */
+      if (!FPtests[1]) {     
+	if (o.scan_delay) enforce_scan_delay(NULL);
+	send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
+			    current_port, openport, sequence_base, 0, 
+			    TH_ECE|TH_SYN, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
+      }
+     
+      /* Test 2 */
+      if (!FPtests[2]) {     
+	if (o.scan_delay) enforce_scan_delay(NULL);
+	send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
+			    current_port +1, 
+			    openport, sequence_base, 0,0, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
+      }
+
+      /* Test 3 */
+      if (!FPtests[3]) {     
+	if (o.scan_delay) enforce_scan_delay(NULL);
+	send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, current_port +2, 
+			    openport, sequence_base, 0,TH_SYN|TH_FIN|TH_URG|TH_PUSH, 0,(u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
+      }
+
+      /* Test 4 */
+      if (!FPtests[4]) {     
+	if (o.scan_delay) enforce_scan_delay(NULL);
+	send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
+			    current_port +3, 
+			    openport, sequence_base, 0,TH_ACK, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
+      }
+    }
+   
+    /* Test 5 */
+    if (!FPtests[5]) {   
+      if (o.scan_delay) enforce_scan_delay(NULL);
+      send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
+			  current_port +4,
+			  closedport, sequence_base, 0,TH_SYN, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
+    }
+
+    /* Test 6 */
+    if (!FPtests[6]) {   
+      if (o.scan_delay) enforce_scan_delay(NULL);
+      send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
+			  current_port +5, 
+			  closedport, sequence_base, 0,TH_ACK, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
+    }
+
+    /* Test 7 */
+    if (!FPtests[7]) {
+      if (o.scan_delay) enforce_scan_delay(NULL);   
+      send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
+			  current_port +6, 
+			  closedport, sequence_base, 0,TH_FIN|TH_PUSH|TH_URG, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
+    }
+
+    /* Test 8 */
+    if (!FPtests[8]) {
+      if (o.scan_delay) enforce_scan_delay(NULL);
+      upi = send_closedudp_probe(rawsd, ethptr, target->v4hostip(), o.magic_port, closedport);
+    }
+    gettimeofday(&t1, NULL);
+    timeout = 0;
+
+    /* Insure we haven't overrun our allotted time ... */
+    if (target->timedOut(&t1))
+      goto osscan_timedout;
+
+    while(( ip = (struct ip*) readip_pcap(pd, &bytes, oshardtimeout, NULL, &linkhdr)) && !timeout) {
+      gettimeofday(&t2, NULL);
+      if (TIMEVAL_SUBTRACT(t2,t1) > oshardtimeout) {
+	timeout = 1;
+      }
+
+      if (target->timedOut(&t2))
+	goto osscan_timedout;
+
+      if (bytes < (4 * ip->ip_hl) + 4U || bytes < 20)
+	continue;
+      setTargetMACIfAvailable(target, &linkhdr, ip, 0);
+      if (ip->ip_p == IPPROTO_TCP) {
+	tcp = ((struct tcphdr *) (((char *) ip) + 4 * ip->ip_hl));
+	testno = ntohs(tcp->th_dport) - current_port + 1;
+	if (testno <= 0 || testno > 7)
+	  continue;
+	if (o.debugging > 1)
+	  log_write(LOG_STDOUT, "Got packet for test number %d\n", testno);
+	if (FPtests[testno]) continue;
+	testsleft--;
+	newcatches++;
+	FPtests[testno] = (FingerPrint *) safe_zalloc(sizeof(FingerPrint));
+	FPtests[testno]->results = fingerprint_iptcppacket(ip, 265, sequence_base);
+	FPtests[testno]->name = (testno == 1)? "T1" : (testno == 2)? "T2" : (testno == 3)? "T3" : (testno == 4)? "T4" : (testno == 5)? "T5" : (testno == 6)? "T6" : (testno == 7)? "T7" : "PU";
+      } else if (ip->ip_p == IPPROTO_ICMP) {
+	icmp = ((struct icmp *)  (((char *) ip) + 4 * ip->ip_hl));
+	/* It must be a destination port unreachable */
+	if (icmp->icmp_type != 3 || icmp->icmp_code != 3) {
+	  /* This ain't no stinking port unreachable! */
+	  continue;
+	}
+	if (bytes < (unsigned int) ntohs(ip->ip_len)) {
+	  error("We only got %d bytes out of %d on our ICMP port unreachable packet, skipping", bytes, ntohs(ip->ip_len));
+	  continue;
+	}
+	if (FPtests[8]) continue;
+	FPtests[8] = (FingerPrint *) safe_zalloc(sizeof(FingerPrint));
+	FPtests[8]->results = fingerprint_portunreach(ip, upi);
+	if (FPtests[8]->results) {       
+	  FPtests[8]->name = "PU";
+	  testsleft--;
+	  newcatches++;
+	} else {
+	  free(FPtests[8]);
+	  FPtests[8] = NULL;
+	}
+      }
+      if (testsleft == 0)
+	break;
+    }     
+  } while ( testsleft > 0 && (tries++ < 5 && (newcatches || tries == 1)));
+
+  si->responses = 0;
+  timeout = 0; 
+  gettimeofday(&t1,NULL);
+  /* Next we send our initial NUM_SEQ_SAMPLES SYN packets  */
+  if (openport != (unsigned long) -1) {
+    seq_packets_sent = 0;
+    while (seq_packets_sent < NUM_SEQ_SAMPLES) {
+      if (o.scan_delay) enforce_scan_delay(NULL);
+      if (seq_packets_sent > 0) {
+	gettimeofday(&t1, NULL);
+	int remaining_us = 110000 - TIMEVAL_SUBTRACT(t1, seq_send_times[seq_packets_sent - 1]);
+	if (remaining_us > 0) {
+	  /* Need to spend at least .5 seconds in sending all packets to
+	     reliably detect 2HZ timestamp sequencing */
+	  usleep(remaining_us);
+	}
+      }
+      send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, 
+			  o.magic_port + seq_packets_sent + 1, 
+			  openport, 
+			  sequence_base + seq_packets_sent + 1, 0, 
+			  TH_SYN, 0 , (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
+      gettimeofday(&seq_send_times[seq_packets_sent], NULL);
+      t1 = seq_send_times[seq_packets_sent];
+      seq_packets_sent++;
+   
+      /* Now we collect the replies */
+      while(si->responses < seq_packets_sent && !timeout) {
+       
+	if (seq_packets_sent == NUM_SEQ_SAMPLES)
+	  ip = (struct ip*) readip_pcap(pd, &bytes, oshardtimeout, NULL, &linkhdr);
+	else ip = (struct ip*) readip_pcap(pd, &bytes, 10, NULL, &linkhdr);
+       
+	gettimeofday(&t2, NULL);
+	/*     error("DEBUG: got a response (len=%d):\n", bytes);  */
+	/*     lamont_hdump((unsigned char *) ip, bytes); */
+	/* Insure we haven't overrun our allotted time ... */
+	if (target->timedOut(&t2))
+	  goto osscan_timedout;
+
+	if (!ip) { 
+	  if (seq_packets_sent < NUM_SEQ_SAMPLES)
+	    break;
+	  if (TIMEVAL_SUBTRACT(t2,t1) > ossofttimeout)
+	    timeout = 1;
+	  continue; 
+	} else if (TIMEVAL_SUBTRACT(t2,t1) > oshardtimeout) {
+	  timeout = 1;
+	}		  
+	if (lastipid != 0 && ip->ip_id == lastipid) {
+	  /* Probably a duplicate -- this happens sometimes when scanning localhost */
+	  continue;
+	}
+	lastipid = ip->ip_id;
+
+	if (bytes < (4 * ip->ip_hl) + 4U || bytes < 20)
+	  continue;
+	setTargetMACIfAvailable(target, &linkhdr, ip, 0);
+	if (ip->ip_p == IPPROTO_TCP) {
+	  /*       readtcppacket((char *) ip, ntohs(ip->ip_len));  */
+	  tcp = ((struct tcphdr *) (((char *) ip) + 4 * ip->ip_hl));
+	  if (ntohs(tcp->th_dport) < o.magic_port || 
+	      ntohs(tcp->th_dport) - o.magic_port > NUM_SEQ_SAMPLES || 
+	      ntohs(tcp->th_sport) != openport) {
+	    continue;
+	  }
+	  if ((tcp->th_flags & TH_RST)) {
+	    /*	 readtcppacket((char *) ip, ntohs(ip->ip_len));*/	 
+	    if (si->responses == 0) {	 
+	      fprintf(stderr, "WARNING:  RST from port %lu -- is this port really open?\n", openport);
+	      /* We used to quit in this case, but left-overs from a SYN
+		 scan or lame-ass TCP wrappers can cause this! */
+	    } 
+	    continue;
+	  } else if ((tcp->th_flags & (TH_SYN|TH_ACK)) == (TH_SYN|TH_ACK)) {
+	    /*	error("DEBUG: response is SYN|ACK to port %hu\n", ntohs(tcp->th_dport)); */
+	    /*readtcppacket((char *)ip, ntohs(ip->ip_len));*/
+	    /* We use the ACK value to match up our sent with rcv'd packets */
+	    seq_response_num = (ntohl(tcp->th_ack) - 2 - 
+				sequence_base); 
+	    if (seq_response_num < 0 || seq_response_num >= seq_packets_sent) {
+	      /* BzzT! Value out of range */
+	      if (o.debugging) {
+		error("Unable to associate os scan response with sent packet (received ack: %lX; sequence base: %lX. Packet:", (unsigned long) ntohl(tcp->th_ack), (unsigned long) sequence_base);
+		readtcppacket((unsigned char *)ip,ntohs(ip->ip_len));
+	      }
+	      seq_response_num = si->responses;
+	    }
+	    if (si->seqs[seq_response_num] == 0) {
+	      /* New response found! */
+	      si->responses++;
+	      si->seqs[seq_response_num] = ntohl(tcp->th_seq); /* TCP ISN */
+	      si->ipids[seq_response_num] = ntohs(ip->ip_id);
+	      if ((gettcpopt_ts(tcp, &timestamp, NULL) == 0))
+		si->ts_seqclass = TS_SEQ_UNSUPPORTED;
+	      else {
+		if (timestamp == 0) {
+		  si->ts_seqclass = TS_SEQ_ZERO;
+		}
+	      }
+	      si->timestamps[seq_response_num] = timestamp;
+	      /*           printf("Response #%d -- ipid=%hu ts=%i\n", seq_response_num, ntohs(ip->ip_id), timestamp); */
+	      if (si->responses > 1) {
+		seq_diffs[si->responses-2] = MOD_DIFF(ntohl(tcp->th_seq), si->seqs[si->responses-2]);
+	      }
+	    }
+	  }
+	}
+      }
+    }
+
+    /* Now we make sure there are no gaps in our response array ... */
+    for(i=0, si->responses=0; i < seq_packets_sent; i++) {
+      if (si->seqs[i] != 0) /* We found a good one */ {
+	if (si->responses < i) {
+	  si->seqs[si->responses] = si->seqs[i];
+	  si->ipids[si->responses] = si->ipids[i];
+	  si->timestamps[si->responses] = si->timestamps[i];
+	  seq_send_times[si->responses] = seq_send_times[i];
+	}
+	if (si->responses > 0) {
+	  seq_diffs[si->responses - 1] = MOD_DIFF(si->seqs[si->responses], si->seqs[si->responses - 1]);
+	  ts_diffs[si->responses - 1] = MOD_DIFF(si->timestamps[si->responses], si->timestamps[si->responses - 1]);
+	  time_usec_diffs[si->responses - 1] = TIMEVAL_SUBTRACT(seq_send_times[si->responses], seq_send_times[si->responses - 1]);
+	  if (!time_usec_diffs[si->responses - 1]) time_usec_diffs[si->responses - 1]++; /* We divide by this later */
+	  /*	 printf("MOD_DIFF_USHORT(%hu, %hu) == %hu\n", si->ipids[si->responses], si->ipids[si->responses - 1], MOD_DIFF_USHORT(si->ipids[si->responses], si->ipids[si->responses - 1])); */
+	}
+
+	si->responses++;
+      } /* Otherwise nothing good in this slot to copy */
+    }
+     
+
+    si->ipid_seqclass = ipid_sequence(si->responses, si->ipids, 
+				      islocalhost(target->v4hostip()));
+
+    /* Now we look at TCP Timestamp sequence prediction */
+    /* Battle plan:
+       1) Compute average increments per second, and variance in incr. per second 
+       2) If any are 0, set to constant
+       3) If variance is high, set to random incr. [ skip for now ]
+       4) if ~10/second, set to appropriate thing
+       5) Same with ~100/sec
+    */
+    if (si->ts_seqclass == TS_SEQ_UNKNOWN && si->responses >= 2) {
+      avg_ts_hz = 0.0;
+      for(i=0; i < si->responses - 1; i++) {
+	double dhz;
+
+	dhz = (double) ts_diffs[i] / (time_usec_diffs[i] / 1000000.0);
+	/*       printf("ts incremented by %d in %li usec -- %fHZ\n", ts_diffs[i], time_usec_diffs[i], dhz); */
+	avg_ts_hz += dhz / ( si->responses - 1);
+      }
+
+      if (o.debugging)
+	printf("The avg TCP TS HZ is: %f\n", avg_ts_hz);
+     
+      if (avg_ts_hz > 0 && avg_ts_hz < 3.9) { /* relatively wide range because sampling time so short and frequency so slow */
+	si->ts_seqclass = TS_SEQ_2HZ;
+	si->lastboot = seq_send_times[0].tv_sec - (si->timestamps[0] / 2); 
+      }
+      else if (avg_ts_hz > 85 && avg_ts_hz < 115) {
+	si->ts_seqclass = TS_SEQ_100HZ;
+	si->lastboot = seq_send_times[0].tv_sec - (si->timestamps[0] / 100); 
+      }
+      else if (avg_ts_hz > 900 && avg_ts_hz < 1100) {
+	si->ts_seqclass = TS_SEQ_1000HZ;
+	si->lastboot = seq_send_times[0].tv_sec - (si->timestamps[0] / 1000); 
+      }
+      if (si->lastboot && (seq_send_times[0].tv_sec - si->lastboot > 63072000))
+	{
+	  /* Up 2 years?  Perhaps, but they're probably lying. */
+	  if (o.debugging) {
+	    error("Ignoring claimed uptime of %lu days", 
+		  (seq_send_times[0].tv_sec - si->lastboot) / 86400);
+	  }
+	  si->lastboot = 0;
+	}
+    }
+   
+    /* Time to look at the TCP ISN predictability */
+    if (si->responses >= 4 && o.scan_delay <= 1000) {
+      seq_gcd = gcd_n_uint(si->responses -1, seq_diffs);
+      /*     printf("The GCD is %u\n", seq_gcd);*/
+      if (seq_gcd) {     
+	for(i=0; i < si->responses - 1; i++)
+	  seq_diffs[i] /= seq_gcd;
+	for(i=0; i < si->responses - 1; i++) {     
+	  if (MOD_DIFF(si->seqs[i+1],si->seqs[i]) > 50000000) {
+	    si->seqclass = SEQ_TR;
+	    si->index = 9999999;
+	    /*	 printf("Target is a TR box\n");*/
+	    break;
+	  }	
+	  seq_avg_inc += seq_diffs[i];
+	}
+      }
+      if (seq_gcd == 0) {
+	si->seqclass = SEQ_CONSTANT;
+	si->index = 0;
+      } else if (seq_gcd % 64000 == 0) {
+	si->seqclass = SEQ_64K;
+	/*       printf("Target is a 64K box\n");*/
+	si->index = 1;
+      } else if (seq_gcd % 800 == 0) {
+	si->seqclass = SEQ_i800;
+	/*       printf("Target is a i800 box\n");*/
+	si->index = 10;
+      } else if (si->seqclass == SEQ_UNKNOWN) {
+	seq_avg_inc = (unsigned int) ((0.5) + seq_avg_inc / (si->responses - 1));
+	/*       printf("seq_avg_inc=%u\n", seq_avg_inc);*/
+	for(i=0; i < si->responses -1; i++)       {     
+
+	  /*	 printf("The difference is %u\n", seq_diffs[i]);
+		 printf("Adding %u^2=%e", MOD_DIFF(seq_diffs[i], seq_avg_inc), pow(MOD_DIFF(seq_diffs[i], seq_avg_inc), 2));*/
+	  /* pow() seems F#@!#$!ed up on some Linux systems so I will
+	     not use it for now 
+	     seq_inc_sum += pow(MOD_DIFF(seq_diffs[i], seq_avg_inc), 2);
+	  */	 
+	 
+	  seq_inc_sum += ((double)(MOD_DIFF(seq_diffs[i], seq_avg_inc)) * ((double)MOD_DIFF(seq_diffs[i], seq_avg_inc)));
+	  /*	 seq_inc_sum += pow(MOD_DIFF(seq_diffs[i], seq_avg_inc), 2);*/
+
+	}
+	/*       printf("The sequence sum is %e\n", seq_inc_sum);*/
+	seq_inc_sum /= (si->responses - 1);
+
+	/* Some versions of Linux libc seem to have broken pow ... so we
+	   avoid it */
+#ifdef LINUX       
+	si->index = (unsigned int) (0.5 + sqrt(seq_inc_sum));
+#else
+	si->index = (unsigned int) (0.5 + pow(seq_inc_sum, 0.5));
+#endif
+
+	/*       printf("The sequence index is %d\n", si->index);*/
+	if (si->index < 75) {
+	  si->seqclass = SEQ_TD;
+	  /*	 printf("Target is a Micro$oft style time dependant box\n");*/
+	}
+	else {
+	  si->seqclass = SEQ_RI;
+	  /*	 printf("Target is a random incremental box\n");*/
+	}
+      }
+      FPtests[0] = (FingerPrint *) safe_zalloc(sizeof(FingerPrint));
+      FPtests[0]->name = "TSeq";
+      seq_AVs = (struct AVal *) safe_zalloc(sizeof(struct AVal) * 5);
+      FPtests[0]->results = seq_AVs;
+      avnum = 0;
+      seq_AVs[avnum].attribute = "Class";
+      switch(si->seqclass) {
+      case SEQ_CONSTANT:
+	strcpy(seq_AVs[avnum].value, "C");
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute= "Val";     
+	sprintf(seq_AVs[avnum].value, "%X", si->seqs[0]);
+	break;
+      case SEQ_64K:
+	strcpy(seq_AVs[avnum].value, "64K");      
+	break;
+      case SEQ_i800:
+	strcpy(seq_AVs[avnum].value, "i800");
+	break;
+      case SEQ_TD:
+	strcpy(seq_AVs[avnum].value, "TD");
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute= "gcd";     
+	sprintf(seq_AVs[avnum].value, "%X", seq_gcd);
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute="SI";
+	sprintf(seq_AVs[avnum].value, "%X", si->index);
+	break;
+      case SEQ_RI:
+	strcpy(seq_AVs[avnum].value, "RI");
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute= "gcd";     
+	sprintf(seq_AVs[avnum].value, "%X", seq_gcd);
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute="SI";
+	sprintf(seq_AVs[avnum].value, "%X", si->index);
+	break;
+      case SEQ_TR:
+	strcpy(seq_AVs[avnum].value, "TR");
+	break;
+      }
+
+      /* IP ID Class */
+      switch(si->ipid_seqclass) {
+      case IPID_SEQ_CONSTANT:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "IPID";
+	strcpy(seq_AVs[avnum].value, "C");
+	break;
+      case IPID_SEQ_INCR:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "IPID";
+	strcpy(seq_AVs[avnum].value, "I");
+	break;
+      case IPID_SEQ_BROKEN_INCR:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "IPID";
+	strcpy(seq_AVs[avnum].value, "BI");
+	break;
+      case IPID_SEQ_RPI:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "IPID";
+	strcpy(seq_AVs[avnum].value, "RPI");
+	break;
+      case IPID_SEQ_RD:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "IPID";
+	strcpy(seq_AVs[avnum].value, "RD");
+	break;
+      case IPID_SEQ_ZERO:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "IPID";
+	strcpy(seq_AVs[avnum].value, "Z");
+	break;
+      }
+
+      /* TCP Timestamp option sequencing */
+      switch(si->ts_seqclass) {
+      case TS_SEQ_ZERO:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "TS";
+	strcpy(seq_AVs[avnum].value, "0");
+	break;
+      case TS_SEQ_2HZ:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "TS";
+	strcpy(seq_AVs[avnum].value, "2HZ");
+	break;
+      case TS_SEQ_100HZ:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "TS";
+	strcpy(seq_AVs[avnum].value, "100HZ");
+	break;
+      case TS_SEQ_1000HZ:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "TS";
+	strcpy(seq_AVs[avnum].value, "1000HZ");
+	break;
+      case TS_SEQ_UNSUPPORTED:
+	seq_AVs[avnum].next = &seq_AVs[avnum+1]; avnum++;
+	seq_AVs[avnum].attribute = "TS";
+	strcpy(seq_AVs[avnum].value, "U");
+	break;
+      }
+    }
+    else {
+      log_write(LOG_STDOUT|LOG_NORMAL|LOG_SKID,"Insufficient responses for TCP sequencing (%d), OS detection may be less accurate\n", si->responses);
+    }
+  } else {
+  }
+
+  for(i=0; i < 9; i++) {
+    if (i > 0 && !FPtests[i] && ((openport != (unsigned long) -1) || i > 4)) {
+      /* We create a Resp (response) attribute with value of N (no) because
+	 it is important here to note whether responses were or were not 
+	 received */
+      FPtests[i] = (FingerPrint *) safe_zalloc(sizeof(FingerPrint));
+      seq_AVs = (struct AVal *) safe_zalloc(sizeof(struct AVal));
+      seq_AVs->attribute = "Resp";
+      strcpy(seq_AVs->value, "N");
+      seq_AVs->next = NULL;
+      FPtests[i]->results = seq_AVs;
+      FPtests[i]->name =  (i == 1)? "T1" : (i == 2)? "T2" : (i == 3)? "T3" : (i == 4)? "T4" : (i == 5)? "T5" : (i == 6)? "T6" : (i == 7)? "T7" : "PU";
+    }
+  }
+  last = -1;
+  FP = NULL;
+  for(i=0; i < 9 ; i++) {
+    if (!FPtests[i]) continue; 
+    if (!FP) FP = FPtests[i];
+    if (last > -1) {
+      FPtests[last]->next = FPtests[i];    
+    }
+    last = i;
+  }
+  if (last) FPtests[last]->next = NULL;
+ 
+ osscan_timedout:
+  if (target->timedOut(NULL))
+    FP = NULL;
+  if (rawsd >= 0)
+    close(rawsd);
+  if (ethptr) {
+    eth_close(ethptr->ethsd);
+  }
+  pcap_close(pd);
+  return FP;
+}
+
+
 // Prints a note if observedFP has a classification and it is not in referenceFP
 // Returns 0 if they match, nonzero otherwise
 static int compareclassifications(FingerPrint *referenceFP, 
@@ -1010,6 +1155,105 @@ static int compareclassifications(FingerPrint *referenceFP,
   return 1;
 }
 
+static struct AVal *getattrbyname(struct AVal *AV, const char *name) {
+  if (!AV) return NULL;
+  do {
+    if (!strcmp(AV->attribute, name))
+      return AV;
+    AV = AV->next;
+  } while(AV);
+  return NULL;
+}
+
+static struct AVal *gettestbyname(FingerPrint *FP, const char *name) {
+
+  if (!FP) return NULL;
+  do {
+    if (!strcmp(FP->name, name))
+      return FP->results;
+    FP = FP->next;
+  } while(FP);
+  return NULL;
+}
+
+/* Returns true if perfect match -- if num_subtests &
+   num_subtests_succeeded are non_null it ADDS THE NEW VALUES to what
+   is already there.  So initialize them to zero first if you only
+   want to see the results from this match.  if shortcircuit is zero,
+   it does all the tests, otherwise it returns when the first one
+   fails. */
+static int AVal_match(struct AVal *reference, struct AVal *fprint, unsigned long *num_subtests, unsigned long *num_subtests_succeeded, int shortcut) {
+  struct AVal *current_ref;
+  struct AVal *current_fp;
+  unsigned int number;
+  unsigned int val;
+  char *p, *q;  /* OHHHH YEEEAAAAAHHHH!#!@#$!% */
+  char valcpy[512];
+  char *endptr;
+  int andexp, orexp, expchar, numtrue;
+  int testfailed;
+  int subtests = 0, subtests_succeeded=0;
+
+  for(current_ref = reference; current_ref; current_ref = current_ref->next) {
+    current_fp = getattrbyname(fprint, current_ref->attribute);    
+    if (!current_fp) continue;
+    /* OK, we compare an attribute value in  current_fp->value to a 
+       potentially large expression in current_ref->value.  The syntax uses
+       < (less than), > (greather than), + (non-zero), | (or), and & (and) 
+       No parenthesis are allowed and an expression cannot have | AND & */
+    numtrue = andexp = orexp = 0; testfailed = 0;
+    Strncpy(valcpy, current_ref->value, sizeof(valcpy));
+    p = valcpy;
+    if (strchr(current_ref->value, '|')) {
+      orexp = 1; expchar = '|';
+    } else {
+      andexp = 1; expchar = '&';
+    }
+    do {
+      q = strchr(p, expchar);
+      if (q) *q = '\0';
+      if (strcmp(p, "+") == 0) {
+	if (!*current_fp->value) { if (andexp) { testfailed=1; break; } }
+	else {
+	  val = strtol(current_fp->value, &endptr, 16);
+	  if (val == 0 || *endptr) { if (andexp) { testfailed=1; break; } }
+	  else { numtrue++; if (orexp) break; }
+	}
+      } else if (*p == '<' && isxdigit((int) p[1])) {
+	if (!*current_fp->value) { if (andexp) { testfailed=1; break; } }
+	number = strtol(p + 1, &endptr, 16);
+	val = strtol(current_fp->value, &endptr, 16);
+	if (val >= number || *endptr) { if (andexp)  { testfailed=1; break; } }
+	else { numtrue++; if (orexp) break; }
+      } else if (*p == '>' && isxdigit((int) p[1])) {
+	if (!*current_fp->value) { if (andexp) { testfailed=1; break; } }
+	number = strtol(p + 1, &endptr, 16);
+	val = strtol(current_fp->value, &endptr, 16);
+	if (val <= number || *endptr) { if (andexp) { testfailed=1; break; } }
+	else { numtrue++; if (orexp) break; }
+      }
+      else {
+	if (strcmp(p, current_fp->value))
+	  { if (andexp) { testfailed=1; break; } }
+	else { numtrue++; if (orexp) break; }
+      }
+      if (q) p = q + 1;
+    } while(q);
+      if (numtrue == 0) testfailed=1;
+      subtests++;
+      if (testfailed) {
+	if (shortcut) {
+	  if (num_subtests) *num_subtests += subtests;
+	  return 0;
+	}
+      } else subtests_succeeded++;
+      /* Whew, we made it past one Attribute alive , on to the next! */
+  }
+  if (num_subtests) *num_subtests += subtests;
+  if (num_subtests_succeeded) *num_subtests_succeeded += subtests_succeeded;
+  return (subtests == subtests_succeeded)? 1 : 0;
+}
+
 /* Compares 2 fingerprints -- a referenceFP (can have expression
    attributes) with an observed fingerprint (no expressions).  If
    verbose is nonzero, differences will be printed.  The comparison
@@ -1155,108 +1399,6 @@ void match_fingerprint(FingerPrint *FP, FingerPrintResults *FPR,
   return;
 }
 
-struct AVal *gettestbyname(FingerPrint *FP, const char *name) {
-
-  if (!FP) return NULL;
-  do {
-    if (!strcmp(FP->name, name))
-      return FP->results;
-    FP = FP->next;
-  } while(FP);
-  return NULL;
-}
-
-struct AVal *getattrbyname(struct AVal *AV, const char *name) {
-
-  if (!AV) return NULL;
-  do {
-    if (!strcmp(AV->attribute, name))
-      return AV;
-    AV = AV->next;
-  } while(AV);
-  return NULL;
-}
-
-
-/* Returns true if perfect match -- if num_subtests &
-   num_subtests_succeeded are non_null it ADDS THE NEW VALUES to what
-   is already there.  So initialize them to zero first if you only
-   want to see the results from this match.  if shortcircuit is zero,
-   it does all the tests, otherwise it returns when the first one
-   fails. */
-int AVal_match(struct AVal *reference, struct AVal *fprint, unsigned long *num_subtests, unsigned long *num_subtests_succeeded, int shortcut) {
-  struct AVal *current_ref;
-  struct AVal *current_fp;
-  unsigned int number;
-  unsigned int val;
-  char *p, *q;  /* OHHHH YEEEAAAAAHHHH!#!@#$!% */
-  char valcpy[512];
-  char *endptr;
-  int andexp, orexp, expchar, numtrue;
-  int testfailed;
-  int subtests = 0, subtests_succeeded=0;
-
-  for(current_ref = reference; current_ref; current_ref = current_ref->next) {
-    current_fp = getattrbyname(fprint, current_ref->attribute);    
-    if (!current_fp) continue;
-    /* OK, we compare an attribute value in  current_fp->value to a 
-       potentially large expression in current_ref->value.  The syntax uses
-       < (less than), > (greather than), + (non-zero), | (or), and & (and) 
-       No parenthesis are allowed and an expression cannot have | AND & */
-    numtrue = andexp = orexp = 0; testfailed = 0;
-    Strncpy(valcpy, current_ref->value, sizeof(valcpy));
-    p = valcpy;
-    if (strchr(current_ref->value, '|')) {
-      orexp = 1; expchar = '|';
-    } else {
-      andexp = 1; expchar = '&';
-    }
-    do {
-      q = strchr(p, expchar);
-      if (q) *q = '\0';
-      if (strcmp(p, "+") == 0) {
-	if (!*current_fp->value) { if (andexp) { testfailed=1; break; } }
-	else {
-	  val = strtol(current_fp->value, &endptr, 16);
-	  if (val == 0 || *endptr) { if (andexp) { testfailed=1; break; } }
-	  else { numtrue++; if (orexp) break; }
-	}
-      } else if (*p == '<' && isxdigit((int) p[1])) {
-	if (!*current_fp->value) { if (andexp) { testfailed=1; break; } }
-	number = strtol(p + 1, &endptr, 16);
-	val = strtol(current_fp->value, &endptr, 16);
-	if (val >= number || *endptr) { if (andexp)  { testfailed=1; break; } }
-	else { numtrue++; if (orexp) break; }
-      } else if (*p == '>' && isxdigit((int) p[1])) {
-	if (!*current_fp->value) { if (andexp) { testfailed=1; break; } }
-	number = strtol(p + 1, &endptr, 16);
-	val = strtol(current_fp->value, &endptr, 16);
-	if (val <= number || *endptr) { if (andexp) { testfailed=1; break; } }
-	else { numtrue++; if (orexp) break; }
-      }
-      else {
-	if (strcmp(p, current_fp->value))
-	  { if (andexp) { testfailed=1; break; } }
-	else { numtrue++; if (orexp) break; }
-      }
-      if (q) p = q + 1;
-    } while(q);
-      if (numtrue == 0) testfailed=1;
-      subtests++;
-      if (testfailed) {
-	if (shortcut) {
-	  if (num_subtests) *num_subtests += subtests;
-	  return 0;
-	}
-      } else subtests_succeeded++;
-      /* Whew, we made it past one Attribute alive , on to the next! */
-  }
-  if (num_subtests) *num_subtests += subtests;
-  if (num_subtests_succeeded) *num_subtests_succeeded += subtests_succeeded;
-  return (subtests == subtests_succeeded)? 1 : 0;
-}
-
-
 void freeFingerPrint(FingerPrint *FP) {
 FingerPrint *currentFP;
 FingerPrint *nextFP;
@@ -1389,7 +1531,7 @@ o.scantype = OS_SCAN;
    top of a fingerprint.  Gives info which might be useful when the
    FPrint is submitted (eg Nmap version, etc).  Result is written (up
    to ostrlen) to the ostr var passed in */
-void WriteSInfo(char *ostr, int ostrlen, int openport, int closedport, 
+static void WriteSInfo(char *ostr, int ostrlen, int openport, int closedport, 
 		const u8 *mac) {
   struct tm *ltime;
   time_t timep;
@@ -1407,6 +1549,7 @@ void WriteSInfo(char *ostr, int ostrlen, int openport, int closedport,
 	   (int) timep, openport, closedport, macbuf);
 }
 
+
 char *mergeFPs(FingerPrint *FPs[], int numFPs, int openport, int closedport, 
 	       const u8 *mac) {
 static char str[10240];
@@ -1514,8 +1657,8 @@ return str;
 /* Parse a 'Class' line found in the fingerprint file into the current
    FP.  Classno is the number of 'class' lines found so far in the
    current fingerprint.  The function quits if there is a parse error */
-
-void parse_classline(FingerPrint *FP, char *thisline, int lineno, int *classno) {
+static void parse_classline(FingerPrint *FP, char *thisline, int lineno, 
+			    int *classno) {
   char *p, *q;
 
   fflush(stdout);
@@ -1614,6 +1757,42 @@ void parse_classline(FingerPrint *FP, char *thisline, int lineno, int *classno)
 
 }
 
+static struct AVal *str2AVal(char *str) {
+  int i = 1;
+  int count = 1;
+  char *q = str, *p=str;
+  struct AVal *AVs;
+  if (!*str) return NULL;
+
+  /* count the AVals */
+  while((q = strchr(q, '%'))) {
+    count++;
+    q++;
+  }
+
+  AVs = (struct AVal *) safe_zalloc(count * sizeof(struct AVal));
+  for(i=0; i < count; i++) {
+    q = strchr(p, '=');
+    if (!q) {
+      fatal("Parse error with AVal string (%s) in nmap-os-fingerprints file", str);
+    }
+    *q = '\0';
+    AVs[i].attribute = strdup(p);
+    p = q+1;
+    if (i != count - 1) {
+      q = strchr(p, '%');
+      if (!q) {
+	fatal("Parse error with AVal string (%s) in nmap-os-fingerprints file", str);
+      }
+      *q = '\0';
+      AVs[i].next = &AVs[i+1];
+    }
+    Strncpy(AVs[i].value, p, sizeof(AVs[i].value)); 
+    p = q + 1;
+  }
+  return AVs;
+}
+
 /* Parses a single fingerprint from the memory region given.  If a
  non-null fingerprint is returned, the user is in charge of freeing it
  when done.  This function does not require the fingerprint to be 100%
@@ -1793,192 +1972,6 @@ if (nmap_fetchfile(filename, sizeof(filename), "nmap-os-fingerprints") == -1){
 return parse_fingerprint_file(filename);
 }
 
-struct AVal *str2AVal(char *str) {
-int i = 1;
-int count = 1;
-char *q = str, *p=str;
-struct AVal *AVs;
-if (!*str) return NULL;
-
-/* count the AVals */
-while((q = strchr(q, '%'))) {
-  count++;
-  q++;
-}
-
-AVs = (struct AVal *) safe_zalloc(count * sizeof(struct AVal));
-for(i=0; i < count; i++) {
-  q = strchr(p, '=');
-  if (!q) {
-    fatal("Parse error with AVal string (%s) in nmap-os-fingerprints file", str);
-  }
-  *q = '\0';
-  AVs[i].attribute = strdup(p);
-  p = q+1;
-  if (i != count - 1) {
-    q = strchr(p, '%');
-    if (!q) {
-      fatal("Parse error with AVal string (%s) in nmap-os-fingerprints file", str);
-    }
-    *q = '\0';
-    AVs[i].next = &AVs[i+1];
-  }
-  Strncpy(AVs[i].value, p, sizeof(AVs[i].value)); 
-  p = q + 1;
-}
-return AVs;
-}
-
-
-struct AVal *fingerprint_portunreach(struct ip *ip, struct udpprobeinfo *upi) {
-struct icmp *icmp;
-struct ip *ip2;
-int numtests = 10;
-unsigned short checksum;
-unsigned short *checksumptr;
-udphdr_bsd *udp;
-struct AVal *AVs;
-int i;
-int current_testno = 0;
-unsigned char *datastart, *dataend;
-
-/* The very first thing we do is make sure this is the correct
-   response */
-if (ip->ip_p != IPPROTO_ICMP) {
-  error("fingerprint_portunreach handed a non-ICMP packet!");
-  return NULL;
-}
-
-if (ip->ip_src.s_addr != upi->target.s_addr)
-  return NULL;  /* Not the person we sent to */
-
-icmp = ((struct icmp *)  (((char *) ip) + 4 * ip->ip_hl));
-if (icmp->icmp_type != 3 || icmp->icmp_code != 3)
-  return NULL; /* Not a port unreachable */
-
-ip2 = (struct ip*) ((char *)icmp + 8);
-udp = (udphdr_bsd *) ((char *)ip2 + 20);
-
-/* The ports better match as well ... */
-if (ntohs(udp->uh_sport) != upi->sport || ntohs(udp->uh_dport) != upi->dport) {
-  return NULL;
-}
-
-/* Create the Avals */
-AVs = (struct AVal *) safe_zalloc(numtests * sizeof(struct AVal));
-
-/* Link them together */
-for(i=0; i < numtests - 1; i++)
-  AVs[i].next = &AVs[i+1];
-
-/* First of all, if we got this far the response was yes */
-AVs[current_testno].attribute = "Resp";
-strcpy(AVs[current_testno].value, "Y");
-
-current_testno++;
-
-/* Now let us do an easy one, Don't fragment */
-AVs[current_testno].attribute = "DF";
-  if(ntohs(ip->ip_off) & 0x4000) {
-    strcpy(AVs[current_testno].value,"Y");
-  } else strcpy(AVs[current_testno].value, "N");
-
-current_testno++;
-
-/* Now lets do TOS of the response (note, I've never seen this be
-   useful */
-AVs[current_testno].attribute = "TOS";
-sprintf(AVs[current_testno].value, "%hX", ip->ip_tos);
-
-current_testno++;
-
-/* Now we look at the IP datagram length that was returned, some
-   machines send more of the original packet back than others */
-AVs[current_testno].attribute = "IPLEN";
-sprintf(AVs[current_testno].value, "%hX", ntohs(ip->ip_len));
-
-current_testno++;
-
-/* OK, lets check the returned IP length, some systems @$@ this
-   up */
-AVs[current_testno].attribute = "RIPTL";
-sprintf(AVs[current_testno].value, "%hX", ntohs(ip2->ip_len));
-
-current_testno++;
-
-/* This next test doesn't work on Solaris because the lamers
-   overwrite our ip_id */
-#if !defined(SOLARIS) && !defined(SUNOS) && !defined(IRIX) && !defined(HPUX)
-
-/* Now lets see how they treated the ID we sent ... */
-AVs[current_testno].attribute = "RID";
-if (ntohs(ip2->ip_id) == 0)
-  strcpy(AVs[current_testno].value, "0");
-else if (ip2->ip_id == upi->ipid)
-  strcpy(AVs[current_testno].value, "E"); /* The "expected" value */
-else strcpy(AVs[current_testno].value, "F"); /* They fucked it up */
-
-current_testno++;
-
-#endif
-
-/* Let us see if the IP checksum we got back computes */
-
-AVs[current_testno].attribute = "RIPCK";
-/* Thanks to some machines not having struct ip member ip_sum we
-   have to go with this BS */
-checksumptr = (unsigned short *)   ((char *) ip2 + 10);
-checksum =   *checksumptr;
-
-if (checksum == 0)
-  strcpy(AVs[current_testno].value, "0");
-else {
-  *checksumptr = 0;
-  if (in_cksum((unsigned short *)ip2, 20) == checksum) {
-    strcpy(AVs[current_testno].value, "E"); /* The "expected" value */
-  } else {
-    strcpy(AVs[current_testno].value, "F"); /* They fucked it up */
-  }
-  *checksumptr = checksum;
-}
-
-current_testno++;
-
-/* UDP checksum */
-AVs[current_testno].attribute = "UCK";
-if (udp->uh_sum == 0)
-  strcpy(AVs[current_testno].value, "0");
-else if (udp->uh_sum == upi->udpck)
-  strcpy(AVs[current_testno].value, "E"); /* The "expected" value */
-else strcpy(AVs[current_testno].value, "F"); /* They fucked it up */
-
-current_testno++;
-
-/* UDP length ... */
-AVs[current_testno].attribute = "ULEN";
-sprintf(AVs[current_testno].value, "%hX", ntohs(udp->uh_ulen));
-
-current_testno++;
-
-/* Finally we ensure the data is OK */
-datastart = ((unsigned char *)udp) + 8;
-dataend = (unsigned char *)  ip + ntohs(ip->ip_len);
-
-while(datastart < dataend) {
-  if (*datastart != upi->patternbyte) break;
-  datastart++;
-}
-AVs[current_testno].attribute = "DAT";
-if (datastart < dataend)
-  strcpy(AVs[current_testno].value, "F"); /* They fucked it up */
-else  
-  strcpy(AVs[current_testno].value, "E");
-
-AVs[current_testno].next = NULL;
-
-return AVs;
-}
-
 /* This function takes an array of "numSamples" IP IDs and analyzes
  them to determine their sequenceability classification.  It returns
  one of the IPID_SEQ_* classifications defined in nmap.h .  If the
diff --git a/osscan.h b/osscan.h
index 573e03e20..06164e6a2 100644
--- a/osscan.h
+++ b/osscan.h
@@ -120,11 +120,6 @@
 
 /**********************  PROTOTYPES  ***********************************/
 int os_scan(Target *target);
-FingerPrint *get_fingerprint(Target *target, struct seq_info *si);
-struct AVal *fingerprint_iptcppacket(struct ip *ip, int mss, unsigned int syn);
-struct AVal *fingerprint_portunreach(struct ip *ip, struct udpprobeinfo *upi);
-unsigned int get_gcd_n_ulong(int numvalues, unsigned int *values);
-unsigned int euclid_gcd(unsigned int a, unsigned int b);
 char *fp2ascii(FingerPrint *FP);
 
 /* Parses a single fingerprint from the memory region given.  If a
@@ -151,30 +146,13 @@ double compare_fingerprints(FingerPrint *referenceFP, FingerPrint *observedFP,
    FingerPrintResults class.  */
 void match_fingerprint(FingerPrint *FP, FingerPrintResults *FPR, 
 		       FingerPrint **reference_FPs, double accuracy_threshold);
-struct AVal *str2AVal(char *p);
-struct AVal *gettestbyname(FingerPrint *FP, const char *name);
 
 /* Returns true if perfect match -- if num_subtests & num_subtests_succeeded are non_null it updates them.  if shortcircuit is zero, it does all the tests, otherwise it returns when the first one fails */
 
-/* Returns true if perfect match -- if num_subtests &
-   num_subtests_succeeded are non_null it ADDS THE NEW VALUES to what
-   is already there.  So initialize them to zero first if you only
-   want to see the results from this match.  if shortcircuit is zero,
-   it does all the tests, otherwise it returns when the first one
-   fails */
-int AVal_match(struct AVal *reference, struct AVal *fprint, unsigned long *num_subtests, unsigned long *num_subtests_succeeded, int shortcut);
-
 void freeFingerPrint(FingerPrint *FP);
 char *mergeFPs(FingerPrint *FPs[], int numFPs, int openport, int closedport,
 	       const u8 *mac);
 
-/* Writes an informational "Test" result suitable for including at the
-   top of a fingerprint.  Gives info which might be useful when the
-   FPrint is submitted (eg Nmap version, etc).  Result is written (up
-   to ostrlen) to the ostr var passed in */
-void WriteSInfo(char *ostr, int ostrlen, int openport, int closedport, 
-		const u8 *mac);
-
 /* This function takes an array of "numSamples" IP IDs and analyzes
  them to determine their sequenceability classification.  It returns
  one of the IPID_SEQ_* classifications defined in nmap.h .  If the
diff --git a/output.cc b/output.cc
index 45b0e6406..60575a8e7 100644
--- a/output.cc
+++ b/output.cc
@@ -119,7 +119,7 @@ extern NmapOps o;
 static char *logtypes[LOG_NUM_FILES]=LOG_NAMES;
 
 /* Used in creating skript kiddie style output.  |<-R4d! */
-void skid_output(char *s)
+static void skid_output(char *s)
 {
   int i;
   for (i=0;s[i];i++)
@@ -824,7 +824,7 @@ int log_open(int logt, int append, char *filename)
 /* The items in ports should be
    in sequential order for space savings and easier to read output.  Outputs
    the rangelist to the log stream given (such as LOG_MACHINE or LOG_XML) */
-void output_rangelist_given_ports(int logt, unsigned short *ports,
+static void output_rangelist_given_ports(int logt, unsigned short *ports,
 						    int numports) {
 int i, previous_port = -2, range_start = -2, port;
 char outpbuf[128];
@@ -907,6 +907,26 @@ void output_xml_scaninfo_records(struct scan_lists *scanlist) {
   log_flush_all();
 }
 
+/* Prints the MAC address (if discovered) to XML output */
+static void print_MAC_XML_Info(Target *currenths) {
+  const u8 *mac = currenths->MACAddress();
+  char macascii[32];
+  char vendorstr[128];
+  char *xml_mac = NULL;
+
+  if (mac) {
+    const char *macvendor = MACPrefix2Corp(mac);
+    snprintf(macascii, sizeof(macascii), "%02X:%02X:%02X:%02X:%02X:%02X",
+	     mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
+    if (macvendor) {
+      xml_mac = xml_convert(macvendor);
+      snprintf(vendorstr, sizeof(vendorstr), " vendor=\"%s\"", xml_mac);
+      free(xml_mac);
+    } else vendorstr[0] = '\0';
+    log_write(LOG_XML, "<address addr=\"%s\" addrtype=\"mac\"%s />\n", macascii, vendorstr);
+  }
+}
+
 /* Helper function to write the status and address/hostname info of a host 
    into the XML log */
 static void write_xml_initial_hostinfo(Target *currenths,
@@ -1139,25 +1159,6 @@ void printmacinfo(Target *currenths) {
   }
 }
 
-/* Prints the MAC address (if discovered) to XML output */
-void print_MAC_XML_Info(Target *currenths) {
-  const u8 *mac = currenths->MACAddress();
-  char macascii[32];
-  char vendorstr[128];
-  char *xml_mac = NULL;
-
-  if (mac) {
-    const char *macvendor = MACPrefix2Corp(mac);
-    snprintf(macascii, sizeof(macascii), "%02X:%02X:%02X:%02X:%02X:%02X",
-	     mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
-    if (macvendor) {
-      xml_mac = xml_convert(macvendor);
-      snprintf(vendorstr, sizeof(vendorstr), " vendor=\"%s\"", xml_mac);
-      free(xml_mac);
-    } else vendorstr[0] = '\0';
-    log_write(LOG_XML, "<address addr=\"%s\" addrtype=\"mac\"%s />\n", macascii, vendorstr);
-  }
-}
 
 
 /* Prints the formatted OS Scan output to stdout, logfiles, etc (but only
diff --git a/output.h b/output.h
index f069fb717..b5800107f 100644
--- a/output.h
+++ b/output.h
@@ -136,9 +136,6 @@ void printportoutput(Target *currenths, PortList *plist);
    in a certain place to conform to DTD. */
 void printmacinfo(Target *currenths);
 
-/* Prints the MAC address (if discovered) to XML output */
-void print_MAC_XML_Info(Target *currenths);
-
 /* Write some information (printf style args) to the given log stream(s).
    Remember to watch out for format string bugs. */
 void log_write(int logt, const char *fmt, ...)
@@ -168,9 +165,6 @@ void log_flush_all();
    it already exists.  If the file does not exist, it will be created */
 int log_open(int logt, int append, char *filename);
 
-/* Used in creating skript kiddie style output.  |<-R4d! */
-void skid_output(char *s);
-
 /* Output the list of ports scanned to the top of machine parseable
    logs (in a comment, unfortunately).  The items in ports should be
    in sequential order for space savings and easier to read output */
@@ -178,13 +172,6 @@ void output_ports_to_machine_parseable_output(struct scan_lists *ports,
 					      int tcpscan, int udpscan,
 					      int protscan);
 
-/* The items in ports should be
-   in sequential order for space savings and easier to read output.  Outputs
-   the rangelist to the log stream given (such as LOG_MACHINE or LOG_XML) */
-void output_rangelist_given_ports(int logt, unsigned short *ports,
-				  int numports);
-
-
 /* Similar to output_ports_to_machine_parseable_output, this function
    outputs the XML version, which is scaninfo records of each scan
    requested and the ports which it will scan for */
diff --git a/protocols.cc b/protocols.cc
index a1e13f32b..265a92dc6 100644
--- a/protocols.cc
+++ b/protocols.cc
@@ -103,11 +103,13 @@
 #include "NmapOps.h"
 
 extern NmapOps o;
-static int protocols_initialized = 0;
 static int numipprots = 0;
 static struct protocol_list *protocol_table[PROTOCOL_TABLE_SIZE];
 
 static int nmap_protocols_init() {
+  static int protocols_initialized = 0;
+  if (protocols_initialized) return 0;
+
   char filename[512];
   FILE *fp;
   char protocolname[128];
@@ -179,9 +181,8 @@ static int nmap_protocols_init() {
 struct protoent *nmap_getprotbynum(int num) {
   struct protocol_list *current;
 
-  if (!protocols_initialized)
-    if (nmap_protocols_init() == -1)
-      return NULL;
+  if (nmap_protocols_init() == -1)
+    return NULL;
 
   for(current = protocol_table[num % PROTOCOL_TABLE_SIZE];
       current; current = current->next) {
@@ -202,9 +203,8 @@ struct scan_lists *getdefaultprots(void) {
   int bucket;
   int protsneeded = 256;
 
-  if (!protocols_initialized)
-    if (nmap_protocols_init() == -1)
-      fatal("getdefaultprots(): Couldn't get protocol numbers");
+  if (nmap_protocols_init() == -1)
+    fatal("getdefaultprots(): Couldn't get protocol numbers");
   
   scanlist = (struct scan_lists *) safe_zalloc(sizeof(struct scan_lists));
   scanlist->prots = (unsigned short *) safe_zalloc((protsneeded) * sizeof(unsigned short));
@@ -224,9 +224,8 @@ struct scan_lists *getfastprots(void) {
   int bucket;
   int protsneeded = 0;
 
-  if (!protocols_initialized)
-    if (nmap_protocols_init() == -1)
-      fatal("Getfastprots: Couldn't get protocol numbers");
+  if (nmap_protocols_init() == -1)
+    fatal("Getfastprots: Couldn't get protocol numbers");
   
   memset(usedprots, 0, sizeof(usedprots));
 
diff --git a/scan_engine.cc b/scan_engine.cc
index 8f2f007c2..9463cf843 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -576,9 +576,6 @@ private:
 
 };
 
-bool ultrascan_port_pspec_update(UltraScanInfo *USI, HostScanStats *hss, 
-				 const probespec *pspec, int newstate);
-
 /* Whether this is storing timing stats for a whole group or an
    individual host */
 enum ultra_timing_type { TIMING_HOST, TIMING_GROUP };
@@ -590,11 +587,6 @@ static void init_ultra_timing_vals(ultra_timing_vals *timing,
 				   int num_hosts_in_group, 
 				   struct ultra_scan_performance_vars *perf,
 				   struct timeval *now);
-/* Adjust various timing variables based on pcket receipt.  Pass
-   rcvdtime = NULL if you have given up on a probe and want to count
-   this as a DROPPED PACKET */
-void ultrascan_adjust_times(UltraScanInfo *USI, HostScanStats *hss, 
-		       UltraProbe *probe, struct timeval *rcvdtime);
 
 /* Take a buffer, buf, of size bufsz (32 bytes is sufficient) and 
    writes a short description of the probe (arg1) into buf.  It also returns 
@@ -1495,189 +1487,10 @@ void HostScanStats::destroyOutstandingProbe(list<UltraProbe *>::iterator probeI)
   delete probe;
 }
 
- /* Mark an outstanding probe as timedout.  Adjusts stats
-     accordingly.  For connect scans, this closes the socket. */
-void HostScanStats::markProbeTimedout(list<UltraProbe *>::iterator probeI) {
-  UltraProbe *probe = *probeI;
-  assert(!probe->timedout);
-  assert(!probe->retransmitted);
-  probe->timedout = true;
-  assert(num_probes_active > 0);
-  num_probes_active--;
-  assert(USI->gstats->num_probes_active > 0);
-  USI->gstats->num_probes_active--;
-  if (probe->isPing()) {
-    ultrascan_adjust_times(USI, this, probe, NULL);
-    /* I'll leave it in the queue in case some response ever does
-       come */
-  } else num_probes_waiting_retransmit++;
-
-  if (probe->type == UltraProbe::UP_CONNECT && probe->CP()->sd >= 0 ) {
-    /* Free the socket as that is a valuable resource, though it is a shame
-       late responses will not be permitted */
-    USI->gstats->CSI->clearSD(probe->CP()->sd);
-    close(probe->CP()->sd);
-    probe->CP()->sd = -1;
-  }
-}
-
-bool HostScanStats::completed() {
-  return num_probes_active == 0 && num_probes_waiting_retransmit == 0 && 
-    probe_bench.empty() && retry_stack.empty() && freshPortsLeft() == 0;
-}
-
-/* Encode the trynum into a 32-bit value.  A simple checksum is also included
-   to verify whether a received version is correct. */
-static u32 seq32_encode(UltraScanInfo *USI, unsigned int trynum, 
-			unsigned int pingseq) {
-  u32 seq = 0;
-  u16 nfo;
-
-  /* We'll let pingseq and trynum each be 8 bits */
-  nfo = (pingseq << 8) + trynum;
-  seq = (nfo << 16) + nfo; /* Mirror the data to ensure it is reconstructed correctly */
-  /* Obfuscate it a little */
-  seq = seq ^ USI->seqmask;
-  return seq;
-}
-
-/* This function provides the proper cwnd and ccthresh to use.  It may
-   differ from versions in timing member var because when no responses
-   have been received for this host, may look at others in the group.
-   For CHANGING this host's timing, use the timing memberval
-   instead. */
-void HostScanStats::getTiming(struct ultra_timing_vals *tmng) {
-  assert(tmng);
-
-  /* Use the per-host value if a pingport has been found or very few probes
-     have been sent */
-  if (pingprobestate != PORT_UNKNOWN || numprobes_sent < 80) {
-    *tmng = timing;
-    return;
-  }
-
-  /* Otherwise, use the global cwnd stats if it has sufficient responses */
-  if (USI->gstats->timing.num_updates > 1) {
-    *tmng = USI->gstats->timing;
-    return;
-  }
-
-  /* Last resort is to use canned values */
-  tmng->cwnd = USI->perf.host_initial_cwnd;
-  tmng->ccthresh = USI->perf.initial_ccthresh;
-  tmng->num_updates = 0;
-  return;
-}
-
-  /* Boost the scan delay for this host, usually because too many packet
-     drops were detected. */
-void HostScanStats::boostScanDelay() {
-  unsigned int maxAllowed = (USI->tcp_scan)? o.maxTCPScanDelay() : o.maxUDPScanDelay();
-  if (sdn.delayms == 0)
-    sdn.delayms = (USI->udp_scan)? 50 : 5; // In many cases, a pcap wait takes a minimum of 80ms, so this matters little :(
-  else sdn.delayms = MIN(sdn.delayms * 2, MAX(sdn.delayms, 1000));
-  sdn.delayms = MIN(sdn.delayms, maxAllowed); 
-  sdn.last_boost = USI->now;
-  sdn.droppedRespSinceDelayChanged = 0;
-  sdn.goodRespSinceDelayChanged = 0;
-}
-
-/* Dismiss all probe attempts on bench -- the ports are marked
-     'filtered' or whatever is appropriate for having no response */
-void HostScanStats::dismissBench() {
-  int newstate;
-
-  if (probe_bench.empty()) return;
-  newstate = scantype_no_response_means(USI->scantype);
-  while(!probe_bench.empty()) {
-    ultrascan_port_pspec_update(USI, this, &probe_bench.back(), newstate);
-    probe_bench.pop_back();
-  }
-  bench_tryno = 0;
-}
-
-/* Move all members of bench to retry_stack for probe retransmission */
-void HostScanStats::retransmitBench() {
-  int newstate;
-  if (probe_bench.empty()) return;
-
-  /* Move all contents of probe_bench to the end of retry_stack, updating retry_stack_tries accordingly */
-  retry_stack.insert(retry_stack.end(), probe_bench.begin(), probe_bench.end());
-  retry_stack_tries.insert(retry_stack_tries.end(), probe_bench.size(), 
-			   bench_tryno);
-  assert(retry_stack.size() == retry_stack_tries.size());
-  probe_bench.erase(probe_bench.begin(), probe_bench.end());
-  newstate = scantype_no_response_means(USI->scantype);
-  bench_tryno = 0;
-}
-
- /* Moves the given probe from the probes_outstanding list, to
-     probe_bench, and decrements num_probes_waiting_retransmit
-     accordingly */
-void HostScanStats::moveProbeToBench(list<UltraProbe *>::iterator probeI) {
-  UltraProbe *probe = *probeI;
-  if (!probe_bench.empty()) 
-    assert(bench_tryno == probe->tryno);
-  else {
-    bench_tryno = probe->tryno;
-    probe_bench.reserve(128);
-  }
-  probe_bench.push_back(*probe->pspec());
-  probes_outstanding.erase(probeI);
-  num_probes_waiting_retransmit--;
-  delete probe;
-}
-
-/* Undoes seq32_encode.  Returns true if the checksum is correct and
-   thus trynum was decoded properly.  In that case, trynum (if not
-   null) is filled with the decoded value.  If pingseq is not null, it
-   is filled with the scanping sequence number, which is 0 if this is
-   not a ping. */
-
-static bool seq32_decode(UltraScanInfo *USI, u32 seq, unsigned int *trynum,
-			 unsigned int *pingseq) {
-  if (trynum) *trynum = 0;
-  if (pingseq) *pingseq = 0;
-
-  /* Undo the mask xor */
-  seq = seq ^ USI->seqmask;
-  /* Check that both sides are the same */
-  if ((seq >> 16) != (seq & 0xFFFF))
-    return false;
-
-  if (trynum) 
-    *trynum = seq & 0xFF;
-
-  if (pingseq)
-    *pingseq = (seq & 0xFF00) >> 8;
-
-  return true;
-}
-
-/* Sometimes the trynumber and/or pingseq are stored in a source
-   portnumber of probes instead.  This takes a port number in HOST
-   BYTE ORDER.  Returns true if the numbers seem reasonable, false if
-   they are bogus. */
-bool sport_decode(UltraScanInfo *USI, u16 portno, unsigned int *trynum, 
-		  unsigned int *pingseq) {
-  int tryval;
-  tryval = portno - o.magic_port;
-  if (tryval <= USI->perf.tryno_cap) {
-    if (pingseq) *pingseq = 0;
-    if (trynum) *trynum = tryval;
-  } else {
-    if (pingseq) *pingseq = tryval - USI->perf.tryno_cap;
-    if (trynum) *trynum = 0;
-  }
-  if (tryval > USI->perf.tryno_cap + 256)
-    return false;
-  return true;
-}
-
 /* Adjust various timing variables based on pcket receipt.  Pass
    rcvdtime = NULL if you have given up on a probe and want to count
    this as a DROPPED PACKET */
-void ultrascan_adjust_times(UltraScanInfo *USI, HostScanStats *hss, 
+static void ultrascan_adjust_times(UltraScanInfo *USI, HostScanStats *hss, 
 		       UltraProbe *probe, struct timeval *rcvdtime) {
 
   int ping_magnifier = (probe->isPing())? USI->perf.ping_magnifier : 1;
@@ -1762,48 +1575,87 @@ void ultrascan_adjust_times(UltraScanInfo *USI, HostScanStats *hss,
   }
 }
 
-/* Called when a ping response is discovered. */
-static void ultrascan_ping_update(UltraScanInfo *USI, HostScanStats *hss, 
-				  list<UltraProbe *>::iterator probeI,
-				  struct timeval *rcvdtime) {
-  ultrascan_adjust_times(USI, hss, *probeI, rcvdtime);
-  hss->destroyOutstandingProbe(probeI);
+ /* Mark an outstanding probe as timedout.  Adjusts stats
+     accordingly.  For connect scans, this closes the socket. */
+void HostScanStats::markProbeTimedout(list<UltraProbe *>::iterator probeI) {
+  UltraProbe *probe = *probeI;
+  assert(!probe->timedout);
+  assert(!probe->retransmitted);
+  probe->timedout = true;
+  assert(num_probes_active > 0);
+  num_probes_active--;
+  assert(USI->gstats->num_probes_active > 0);
+  USI->gstats->num_probes_active--;
+  if (probe->isPing()) {
+    ultrascan_adjust_times(USI, this, probe, NULL);
+    /* I'll leave it in the queue in case some response ever does
+       come */
+  } else num_probes_waiting_retransmit++;
+
+  if (probe->type == UltraProbe::UP_CONNECT && probe->CP()->sd >= 0 ) {
+    /* Free the socket as that is a valuable resource, though it is a shame
+       late responses will not be permitted */
+    USI->gstats->CSI->clearSD(probe->CP()->sd);
+    close(probe->CP()->sd);
+    probe->CP()->sd = -1;
+  }
 }
 
+bool HostScanStats::completed() {
+  return num_probes_active == 0 && num_probes_waiting_retransmit == 0 && 
+    probe_bench.empty() && retry_stack.empty() && freshPortsLeft() == 0;
+}
 
-/* Called when a new status is determined for host in hss (eg. it is
-   found to be up or down by a ping/ping_arp scan.  The probe that led
-   to this new decision is in probeI.  This function needs to update
-   timing information and other stats as appropriate.If rcvdtime is
-   NULL, packet stats are not updated. */
-static void ultrascan_host_update(UltraScanInfo *USI, HostScanStats *hss, 
-				  list<UltraProbe *>::iterator probeI,
-				  int newstate, struct timeval *rcvdtime) {
-  UltraProbe *probe = *probeI;
-  if (rcvdtime) ultrascan_adjust_times(USI, hss, probe, rcvdtime);
+/* Encode the trynum into a 32-bit value.  A simple checksum is also included
+   to verify whether a received version is correct. */
+static u32 seq32_encode(UltraScanInfo *USI, unsigned int trynum, 
+			unsigned int pingseq) {
+  u32 seq = 0;
+  u16 nfo;
 
-  /* Adjust the target flags to note the new state. */
-  if ((hss->target->flags & HOST_UP) == 0) {
-    if (newstate == HOST_UP) {
-      /* Clear any HOST_DOWN or HOST_FIREWALLED flags */
-      hss->target->flags &= ~(HOST_DOWN|HOST_FIREWALLED);
-      hss->target->flags |= HOST_UP;
-    } else if (newstate == HOST_DOWN) {
-      hss->target->flags &= ~HOST_FIREWALLED;
-      hss->target->flags |= HOST_DOWN;
-    } else assert(0);
+  /* We'll let pingseq and trynum each be 8 bits */
+  nfo = (pingseq << 8) + trynum;
+  seq = (nfo << 16) + nfo; /* Mirror the data to ensure it is reconstructed correctly */
+  /* Obfuscate it a little */
+  seq = seq ^ USI->seqmask;
+  return seq;
+}
+
+/* This function provides the proper cwnd and ccthresh to use.  It may
+   differ from versions in timing member var because when no responses
+   have been received for this host, may look at others in the group.
+   For CHANGING this host's timing, use the timing memberval
+   instead. */
+void HostScanStats::getTiming(struct ultra_timing_vals *tmng) {
+  assert(tmng);
+
+  /* Use the per-host value if a pingport has been found or very few probes
+     have been sent */
+  if (pingprobestate != PORT_UNKNOWN || numprobes_sent < 80) {
+    *tmng = timing;
+    return;
   }
 
-  /* Kill outstanding probes */
-  while(!hss->probes_outstanding.empty())
-    hss->destroyOutstandingProbe(hss->probes_outstanding.begin());
+  /* Otherwise, use the global cwnd stats if it has sufficient responses */
+  if (USI->gstats->timing.num_updates > 1) {
+    *tmng = USI->gstats->timing;
+    return;
+  }
+
+  /* Last resort is to use canned values */
+  tmng->cwnd = USI->perf.host_initial_cwnd;
+  tmng->ccthresh = USI->perf.initial_ccthresh;
+  tmng->num_updates = 0;
+  return;
 }
 
 /* Like ultrascan_port_probe_update(), except it is called with just a
    probespec rather than a whole UltraProbe.  Returns true if the port
    was added or at least the state was changed.  */
-bool ultrascan_port_pspec_update(UltraScanInfo *USI, HostScanStats *hss, 
-				 const probespec *pspec, int newstate) {
+static bool ultrascan_port_pspec_update(UltraScanInfo *USI, 
+					HostScanStats *hss, 
+					const probespec *pspec,
+					int newstate) {
   u16 portno;
   u8 proto = 0;
   int oldstate = PORT_TESTING;
@@ -1904,6 +1756,150 @@ bool ultrascan_port_pspec_update(UltraScanInfo *USI, HostScanStats *hss,
   return oldstate != newstate;
 }
 
+  /* Boost the scan delay for this host, usually because too many packet
+     drops were detected. */
+void HostScanStats::boostScanDelay() {
+  unsigned int maxAllowed = (USI->tcp_scan)? o.maxTCPScanDelay() : o.maxUDPScanDelay();
+  if (sdn.delayms == 0)
+    sdn.delayms = (USI->udp_scan)? 50 : 5; // In many cases, a pcap wait takes a minimum of 80ms, so this matters little :(
+  else sdn.delayms = MIN(sdn.delayms * 2, MAX(sdn.delayms, 1000));
+  sdn.delayms = MIN(sdn.delayms, maxAllowed); 
+  sdn.last_boost = USI->now;
+  sdn.droppedRespSinceDelayChanged = 0;
+  sdn.goodRespSinceDelayChanged = 0;
+}
+
+/* Dismiss all probe attempts on bench -- the ports are marked
+     'filtered' or whatever is appropriate for having no response */
+void HostScanStats::dismissBench() {
+  int newstate;
+
+  if (probe_bench.empty()) return;
+  newstate = scantype_no_response_means(USI->scantype);
+  while(!probe_bench.empty()) {
+    ultrascan_port_pspec_update(USI, this, &probe_bench.back(), newstate);
+    probe_bench.pop_back();
+  }
+  bench_tryno = 0;
+}
+
+/* Move all members of bench to retry_stack for probe retransmission */
+void HostScanStats::retransmitBench() {
+  int newstate;
+  if (probe_bench.empty()) return;
+
+  /* Move all contents of probe_bench to the end of retry_stack, updating retry_stack_tries accordingly */
+  retry_stack.insert(retry_stack.end(), probe_bench.begin(), probe_bench.end());
+  retry_stack_tries.insert(retry_stack_tries.end(), probe_bench.size(), 
+			   bench_tryno);
+  assert(retry_stack.size() == retry_stack_tries.size());
+  probe_bench.erase(probe_bench.begin(), probe_bench.end());
+  newstate = scantype_no_response_means(USI->scantype);
+  bench_tryno = 0;
+}
+
+ /* Moves the given probe from the probes_outstanding list, to
+     probe_bench, and decrements num_probes_waiting_retransmit
+     accordingly */
+void HostScanStats::moveProbeToBench(list<UltraProbe *>::iterator probeI) {
+  UltraProbe *probe = *probeI;
+  if (!probe_bench.empty()) 
+    assert(bench_tryno == probe->tryno);
+  else {
+    bench_tryno = probe->tryno;
+    probe_bench.reserve(128);
+  }
+  probe_bench.push_back(*probe->pspec());
+  probes_outstanding.erase(probeI);
+  num_probes_waiting_retransmit--;
+  delete probe;
+}
+
+/* Undoes seq32_encode.  Returns true if the checksum is correct and
+   thus trynum was decoded properly.  In that case, trynum (if not
+   null) is filled with the decoded value.  If pingseq is not null, it
+   is filled with the scanping sequence number, which is 0 if this is
+   not a ping. */
+
+static bool seq32_decode(UltraScanInfo *USI, u32 seq, unsigned int *trynum,
+			 unsigned int *pingseq) {
+  if (trynum) *trynum = 0;
+  if (pingseq) *pingseq = 0;
+
+  /* Undo the mask xor */
+  seq = seq ^ USI->seqmask;
+  /* Check that both sides are the same */
+  if ((seq >> 16) != (seq & 0xFFFF))
+    return false;
+
+  if (trynum) 
+    *trynum = seq & 0xFF;
+
+  if (pingseq)
+    *pingseq = (seq & 0xFF00) >> 8;
+
+  return true;
+}
+
+/* Sometimes the trynumber and/or pingseq are stored in a source
+   portnumber of probes instead.  This takes a port number in HOST
+   BYTE ORDER.  Returns true if the numbers seem reasonable, false if
+   they are bogus. */
+static bool sport_decode(UltraScanInfo *USI, u16 portno, unsigned int *trynum, 
+		  unsigned int *pingseq) {
+  int tryval;
+  tryval = portno - o.magic_port;
+  if (tryval <= USI->perf.tryno_cap) {
+    if (pingseq) *pingseq = 0;
+    if (trynum) *trynum = tryval;
+  } else {
+    if (pingseq) *pingseq = tryval - USI->perf.tryno_cap;
+    if (trynum) *trynum = 0;
+  }
+  if (tryval > USI->perf.tryno_cap + 256)
+    return false;
+  return true;
+}
+
+
+/* Called when a ping response is discovered. */
+static void ultrascan_ping_update(UltraScanInfo *USI, HostScanStats *hss, 
+				  list<UltraProbe *>::iterator probeI,
+				  struct timeval *rcvdtime) {
+  ultrascan_adjust_times(USI, hss, *probeI, rcvdtime);
+  hss->destroyOutstandingProbe(probeI);
+}
+
+
+/* Called when a new status is determined for host in hss (eg. it is
+   found to be up or down by a ping/ping_arp scan.  The probe that led
+   to this new decision is in probeI.  This function needs to update
+   timing information and other stats as appropriate.If rcvdtime is
+   NULL, packet stats are not updated. */
+static void ultrascan_host_update(UltraScanInfo *USI, HostScanStats *hss, 
+				  list<UltraProbe *>::iterator probeI,
+				  int newstate, struct timeval *rcvdtime) {
+  UltraProbe *probe = *probeI;
+  if (rcvdtime) ultrascan_adjust_times(USI, hss, probe, rcvdtime);
+
+  /* Adjust the target flags to note the new state. */
+  if ((hss->target->flags & HOST_UP) == 0) {
+    if (newstate == HOST_UP) {
+      /* Clear any HOST_DOWN or HOST_FIREWALLED flags */
+      hss->target->flags &= ~(HOST_DOWN|HOST_FIREWALLED);
+      hss->target->flags |= HOST_UP;
+    } else if (newstate == HOST_DOWN) {
+      hss->target->flags &= ~HOST_FIREWALLED;
+      hss->target->flags |= HOST_DOWN;
+    } else assert(0);
+  }
+
+  /* Kill outstanding probes */
+  while(!hss->probes_outstanding.empty())
+    hss->destroyOutstandingProbe(hss->probes_outstanding.begin());
+}
+
+
 /* This function is called when a new status is determined for a port.
    the port in the probeI of host hss is now in newstate.  This
    function needs to update timing information, other stats, and the
@@ -2276,7 +2272,7 @@ static void doAnyRetryStackRetransmits(UltraScanInfo *USI) {
 /* Sends a ping probe to the host.  Assumes that caller has already
    checked that sending is OK w/congestion control and that pingprobe is
    available */
-void sendPingProbe(UltraScanInfo *USI, HostScanStats *hss) {
+static void sendPingProbe(UltraScanInfo *USI, HostScanStats *hss) {
   if (o.debugging > 1) {
     char tmpbuf[32];
     printf("Ultrascan PING SENT to %s [%s]\n", hss->target->targetipstr(), 
@@ -2413,7 +2409,7 @@ static void doAnyOutstandingRetransmits(UltraScanInfo *USI) {
 
 /* Print occasional remaining time estimates, as well as
    debugging information */
-void printAnyStats(UltraScanInfo *USI) {
+static void printAnyStats(UltraScanInfo *USI) {
 
   list<HostScanStats *>::iterator hostI;
   HostScanStats *hss;
@@ -2665,7 +2661,7 @@ static bool do_one_select_round(UltraScanInfo *USI, struct timeval *stime) {
    match, or if matching seems to be broken for one reason or
    another.  You can send in HBO or NBO, just as
    long as the two values are in the same byte order. */
-bool allow_ipid_match(u16 ipid_sent, u16 ipid_rcvd) {
+static bool allow_ipid_match(u16 ipid_sent, u16 ipid_rcvd) {
   static int numvalid = 0;
   static int numbogus = 0;
 
@@ -3220,7 +3216,7 @@ static void begin_sniffer(UltraScanInfo *USI, vector<Target *> &Targets) {
 
 /* Go through the data structures, making appropriate changes (such as expiring
    probes, noting when hosts are complete, etc. */
-void processData(UltraScanInfo *USI) {
+static void processData(UltraScanInfo *USI) {
   list<HostScanStats *>::iterator hostI;
   list<UltraProbe *>::iterator probeI, nextProbeI;
   HostScanStats *host = NULL;
@@ -3568,7 +3564,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
    way got overloaded and dropped the last X packets, they are
    likely to get through (and flag us a problem if responsive)
    if we let them go first in the next round */
-void reverse_testing_order(struct portinfolist *pil, struct portinfo *scanarray) {
+static void reverse_testing_order(struct portinfolist *pil, struct portinfo *scanarray) {
   int currentidx, nextidx;
   struct portinfo *current;
 
diff --git a/service_scan.cc b/service_scan.cc
index 22b2af664..27173345b 100644
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -259,7 +259,6 @@ void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *mydata);
 void servicescan_write_handler(nsock_pool nsp, nsock_event nse, void *mydata);
 void servicescan_connect_handler(nsock_pool nsp, nsock_event nse, void *mydata);
 void end_svcprobe(nsock_pool nsp, enum serviceprobestate probe_state, ServiceGroup *SG, ServiceNFO *svc, nsock_iod nsi);
-int launchSomeServiceProbes(nsock_pool nsp, ServiceGroup *SG);
 
 ServiceProbeMatch::ServiceProbeMatch() {
   deflineno = -1;
@@ -1044,7 +1043,7 @@ void ServiceProbe::addMatch(const char *match, int lineno) {
 }
 
 // Parses the given nmap-service-probes file into the AP class
-void parse_nmap_service_probe_file(AllProbes *AP, char *filename) {
+static void parse_nmap_service_probe_file(AllProbes *AP, char *filename) {
   ServiceProbe *newProbe;
   char line[2048];
   int lineno = 0;
@@ -1137,6 +1136,17 @@ void parse_nmap_service_probes(AllProbes *AP) {
   parse_nmap_service_probe_file(AP, filename);
 }
 
+static AllProbes *service_scan_init(void)
+{
+  static AllProbes *AP;
+
+  if (AP) return AP;
+  AP = new AllProbes();
+  parse_nmap_service_probes(AP);
+
+  return AP;
+}
+
 // If the buf (of length buflen) matches one of the regexes in this
 // ServiceProbe, returns the details of the match (service name,
 // version number if applicable, and whether this is a "soft" match.
@@ -1892,6 +1902,52 @@ void end_svcprobe(nsock_pool nsp, enum serviceprobestate probe_state, ServiceGro
   return;
 }
 
+// This function consults the ServiceGroup to determine whether any
+// more probes can be launched at this time.  If so, it determines the
+// appropriate ones and then starts them up.
+static int launchSomeServiceProbes(nsock_pool nsp, ServiceGroup *SG) {
+  ServiceNFO *svc;
+  ServiceProbe *nextprobe;
+  struct sockaddr_storage ss;
+  size_t ss_len;
+
+  while (SG->services_in_progress.size() < SG->ideal_parallelism &&
+	 !SG->services_remaining.empty()) {
+    // Start executing a probe from the new list and move it to in_progress
+    svc = SG->services_remaining.front();
+    if (svc->target->timedOut(nsock_gettimeofday())) {
+      end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, NULL);
+      continue;
+    }
+    nextprobe = svc->nextProbe(true);
+    // We start by requesting a connection to the target
+    if ((svc->niod = nsi_new(nsp, svc)) == NULL) {
+      fatal("Failed to allocate Nsock I/O descriptor in launchSomeServiceProbes()");
+    }
+    if (o.debugging > 1) {
+      printf("Starting probes against new service: %s:%hi (%s)\n", svc->target->targetipstr(), svc->portno, proto2ascii(svc->proto));
+    }
+    svc->target->TargetSockAddr(&ss, &ss_len);
+    if (svc->proto == IPPROTO_TCP)
+      nsock_connect_tcp(nsp, svc->niod, servicescan_connect_handler, 
+			DEFAULT_CONNECT_TIMEOUT, svc, 
+			(struct sockaddr *)&ss, ss_len,
+			svc->portno);
+    else {
+      assert(svc->proto == IPPROTO_UDP);
+      nsock_connect_udp(nsp, svc->niod, servicescan_connect_handler, 
+			svc, (struct sockaddr *) &ss, ss_len,
+			svc->portno);
+    }
+    // Now remove it from the remaining service list
+    SG->services_remaining.pop_front();
+    // And add it to the in progress list
+    SG->services_in_progress.push_back(svc);
+  }
+  return 0;
+}
+
+
 void servicescan_connect_handler(nsock_pool nsp, nsock_event nse, void *mydata) {
   nsock_iod nsi = nse_iod(nse);
   enum nse_status status = nse_status(nse);
@@ -2172,8 +2228,7 @@ void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *mydata) {
 
 // This is used in processResults to determine whether a FP
 // should be printed based on type of match, version intensity, etc.
-
-int shouldWePrintFingerprint(ServiceNFO *svc) {
+static int shouldWePrintFingerprint(ServiceNFO *svc) {
   // Never print FP if hardmatched
   if (svc->probe_state == PROBESTATE_FINISHED_HARDMATCHED)
     return 0;
@@ -2213,52 +2268,6 @@ list<ServiceNFO *>::iterator svc;
  }
 }
 
-
-// This function consults the ServiceGroup to determine whether any
-// more probes can be launched at this time.  If so, it determines the
-// appropriate ones and then starts them up.
-int launchSomeServiceProbes(nsock_pool nsp, ServiceGroup *SG) {
-  ServiceNFO *svc;
-  ServiceProbe *nextprobe;
-  struct sockaddr_storage ss;
-  size_t ss_len;
-
-  while (SG->services_in_progress.size() < SG->ideal_parallelism &&
-	 !SG->services_remaining.empty()) {
-    // Start executing a probe from the new list and move it to in_progress
-    svc = SG->services_remaining.front();
-    if (svc->target->timedOut(nsock_gettimeofday())) {
-      end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, NULL);
-      continue;
-    }
-    nextprobe = svc->nextProbe(true);
-    // We start by requesting a connection to the target
-    if ((svc->niod = nsi_new(nsp, svc)) == NULL) {
-      fatal("Failed to allocate Nsock I/O descriptor in launchSomeServiceProbes()");
-    }
-    if (o.debugging > 1) {
-      printf("Starting probes against new service: %s:%hi (%s)\n", svc->target->targetipstr(), svc->portno, proto2ascii(svc->proto));
-    }
-    svc->target->TargetSockAddr(&ss, &ss_len);
-    if (svc->proto == IPPROTO_TCP)
-      nsock_connect_tcp(nsp, svc->niod, servicescan_connect_handler, 
-			DEFAULT_CONNECT_TIMEOUT, svc, 
-			(struct sockaddr *)&ss, ss_len,
-			svc->portno);
-    else {
-      assert(svc->proto == IPPROTO_UDP);
-      nsock_connect_udp(nsp, svc->niod, servicescan_connect_handler, 
-			svc, (struct sockaddr *) &ss, ss_len,
-			svc->portno);
-    }
-    // Now remove it from the remaining service list
-    SG->services_remaining.pop_front();
-    // And add it to the in progress list
-    SG->services_in_progress.push_back(svc);
-  }
-  return 0;
-}
-
 /* Start the timeout clocks of any targets that have probes.  Assumes
    that this is called before any probes have been launched (so they
    are all in services_remaining */
@@ -2281,7 +2290,7 @@ static void startTimeOutClocks(ServiceGroup *SG) {
 // We iterate through SG->services_remaining and remove any with port/protocol
 // pairs that are excluded. We use AP->isExcluded() to determine which ports
 // are excluded.
-void remove_excluded_ports(AllProbes *AP, ServiceGroup *SG) {
+static void remove_excluded_ports(AllProbes *AP, ServiceGroup *SG) {
   list<ServiceNFO *>::iterator i, nxt;
   ServiceNFO *svc;
 
@@ -2311,7 +2320,7 @@ void remove_excluded_ports(AllProbes *AP, ServiceGroup *SG) {
    Targets specified. */
 int service_scan(vector<Target *> &Targets) {
   // int service_scan(Target *targets[], int num_targets)
-  static AllProbes *AP;
+  AllProbes *AP;
   ServiceGroup *SG;
   nsock_pool nsp;
   struct timeval now;
@@ -2323,10 +2332,7 @@ int service_scan(vector<Target *> &Targets) {
   if (Targets.size() == 0)
     return 1;
 
-  if (!AP) {
-    AP = new AllProbes();
-    parse_nmap_service_probes(AP);
-  }
+  AP = service_scan_init();
 
 
   // Now I convert the targets into a new ServiceGroup
diff --git a/service_scan.h b/service_scan.h
index 017bf952b..2d13a4403 100644
--- a/service_scan.h
+++ b/service_scan.h
@@ -341,8 +341,5 @@ public:
    Targets specified. */
 int service_scan(std::vector<Target *> &Targets);
 
-// Parses the given nmap-service-probes file into the AP class
-void parse_nmap_service_probe_file(AllProbes *AP, char *filename);
-
 #endif /* SERVICE_SCAN_H */
 
diff --git a/services.cc b/services.cc
index afe58df3a..80d230ff5 100644
--- a/services.cc
+++ b/services.cc
@@ -103,12 +103,14 @@
 #include "NmapOps.h"
 
 extern NmapOps o;
-static int services_initialized = 0;
 static int numtcpports = 0;
 static int numudpports = 0;
 static struct service_list *service_table[SERVICE_TABLE_SIZE];
 
 static int nmap_services_init() {
+  static int services_initialized = 0;
+  if (services_initialized) return 0;
+
   char filename[512];
   FILE *fp;
   char servicename[128], proto[16];
@@ -216,9 +218,8 @@ static int nmap_services_init() {
 struct servent *nmap_getservbyport(int port, const char *proto) {
   struct service_list *current;
 
-  if (!services_initialized)
-    if (nmap_services_init() == -1)
-      return NULL;
+  if (nmap_services_init() == -1)
+    return NULL;
 
   for(current = service_table[port % SERVICE_TABLE_SIZE];
       current; current = current->next) {
@@ -244,9 +245,8 @@ struct scan_lists *getdefaultports(int tcpscan, int udpscan) {
   int tcpportsneeded = 0;
   int udpportsneeded = 0;
 
-  if (!services_initialized)
-    if (nmap_services_init() == -1)
-      fatal("Getfastports: Couldn't get port numbers");
+  if (nmap_services_init() == -1)
+    fatal("Getfastports: Couldn't get port numbers");
   
   usedports = (u8 *) safe_zalloc(sizeof(*usedports) * 65536);
 
@@ -308,9 +308,8 @@ struct scan_lists *getfastports(int tcpscan, int udpscan) {
   int tcpportsneeded = 0;
   int udpportsneeded = 0;
 
-  if (!services_initialized)
-    if (nmap_services_init() == -1)
-      fatal("Getfastports: Couldn't get port numbers");
+  if (nmap_services_init() == -1)
+    fatal("Getfastports: Couldn't get port numbers");
   
   usedports = (u8 *) safe_zalloc(sizeof(*usedports) * 65536);
 
diff --git a/targets.cc b/targets.cc
index 965fb164c..35e76a470 100644
--- a/targets.cc
+++ b/targets.cc
@@ -130,6 +130,20 @@ static inline int gethostnum(Target *hostbatch[], Target *target) {
   return 0; // Unreached
 }
 
+char *readhoststate(int state) {
+  switch(state) {
+  case HOST_UP:
+    return "HOST_UP";
+  case HOST_DOWN:
+    return "HOST_DOWN";
+  case HOST_FIREWALLED:
+    return "HOST_FIREWALLED";
+  default:
+    return "UNKNOWN/COMBO";
+  }
+  return NULL;
+}
+
 /* Internal function to update the state of machine (up/down/etc) based on
    ping results */
 static int hostupdate(Target *hostbatch[], Target *target, 
@@ -278,7 +292,7 @@ static void arpping(Target *hostbatch[], int num_hosts,
   return;
 }
 
-void hoststructfry(Target *hostbatch[], int nelem) {
+static void hoststructfry(Target *hostbatch[], int nelem) {
   genfry((unsigned char *)hostbatch, sizeof(Target *), nelem);
   return;
 }
@@ -290,875 +304,87 @@ void returnhost(HostGroupState *hs) {
   hs->next_batch_no--;
 }
 
-Target *nexthost(HostGroupState *hs, TargetGroup *exclude_group,
-			    struct scan_lists *ports, int *pingtype) {
-int hidx = 0;
-int i;
-struct sockaddr_storage ss;
-size_t sslen;
-struct intf_entry *ifentry;
- u32 ifbuf[200] ;
- struct route_nfo rnfo;
- bool arpping_done = false;
- struct timeval now;
+/* Is the host passed as Target to be excluded, much of this logic had  (mdmcl)
+ * to be rewritten from wam's original code to allow for the objects */
+static int hostInExclude(struct sockaddr *checksock, size_t checksocklen, 
+		  TargetGroup *exclude_group) {
+  unsigned long tmpTarget; /* ip we examine */
+  int i=0;                 /* a simple index */
+  char targets_type;       /* what is the address type of the Target Group */
+  struct sockaddr_storage ss; 
+  struct sockaddr_in *sin = (struct sockaddr_in *) &ss;
+  size_t slen;             /* needed for funct but not used */
+  unsigned long mask = 0;  /* our trusty netmask, which we convert to nbo */
+  struct sockaddr_in *checkhost;
 
- ifentry = (struct intf_entry *) ifbuf; 
- ifentry->intf_len = sizeof(ifbuf); // TODO: May want to use a larger buffer if interface aliases prove important.
-if (hs->next_batch_no < hs->current_batch_sz) {
-  /* Woop!  This is easy -- we just pass back the next host struct */
-  return hs->hostbatch[hs->next_batch_no++];
-}
-/* Doh, we need to refresh our array */
-/* for(i=0; i < hs->max_batch_sz; i++) hs->hostbatch[i] = new Target(); */
+  if ((TargetGroup *)0 == exclude_group)
+    return 0;
 
-hs->current_batch_sz = hs->next_batch_no = 0;
-do {
-  /* Grab anything we have in our current_expression */
-  while (hs->current_batch_sz < hs->max_batch_sz && 
-	 hs->current_expression.get_next_host(&ss, &sslen) == 0)
-    {
-      if (hostInExclude((struct sockaddr *)&ss, sslen, exclude_group)) {
-	continue; /* Skip any hosts the user asked to exclude */
-      }
-      hidx = hs->current_batch_sz;
-      hs->hostbatch[hidx] = new Target();
-      hs->hostbatch[hidx]->setTargetSockAddr(&ss, sslen);
+  assert(checksocklen >= sizeof(struct sockaddr_in));
+  checkhost = (struct sockaddr_in *) checksock;
+  if (checkhost->sin_family != AF_INET)
+    checkhost = NULL;
 
-      /* We figure out the source IP/device IFF
-	 1) We are r00t AND
-	 2) We are doing tcp or udp pingscan OR
-	 3) We are doing a raw-mode portscan or osscan OR
-	 4) We are on windows and doing ICMP ping */
-      if (o.isr00t && o.af() == AF_INET && 
-	  ((*pingtype & (PINGTYPE_TCP|PINGTYPE_UDP|PINGTYPE_ARP)) || o.RawScan()
-#ifdef WIN32
-	   || (*pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS))
-#endif // WIN32
-	   )) {
-	hs->hostbatch[hidx]->TargetSockAddr(&ss, &sslen);
-	if (!route_dst(&ss, &rnfo)) {
-	  fatal("%s: failed to determine route to %s", __FUNCTION__, hs->hostbatch[hidx]->NameIP());
+  /* First find out what type of addresses are in the target group */
+  targets_type = exclude_group[i].get_targets_type();
+
+  /* Lets go through the targets until we reach our uninitialized placeholder */
+  while (exclude_group[i].get_targets_type() != TargetGroup::TYPE_NONE)
+  { 
+    /* while there are still hosts in the target group */
+    while (exclude_group[i].get_next_host(&ss, &slen) == 0) {
+      tmpTarget = sin->sin_addr.s_addr; 
+
+      /* For Netmasks simply compare the network bits and move to the next
+       * group if it does not compare, we don't care about the individual addrs */
+      if (targets_type == TargetGroup::IPV4_NETMASK) {
+        mask = htonl((unsigned long) (0-1) << 32-exclude_group[i].get_mask());
+        if ((tmpTarget & mask) == (checkhost->sin_addr.s_addr & mask)) {
+	  exclude_group[i].rewind();
+	  return 1;
+        }
+	else {
+	  break;
 	}
-	if (rnfo.direct_connect) {
-	  hs->hostbatch[hidx]->setDirectlyConnected(true);
-	} else {
-	  hs->hostbatch[hidx]->setDirectlyConnected(false);
-	  hs->hostbatch[hidx]->setNextHop(&rnfo.nexthop, 
-					  sizeof(rnfo.nexthop));
-	}
-	hs->hostbatch[hidx]->setIfType(rnfo.ii.device_type);
-	if (rnfo.ii.device_type == devt_ethernet) {
-	  if (o.spoofMACAddress())
-	    hs->hostbatch[hidx]->setSrcMACAddress(o.spoofMACAddress());
-	  else hs->hostbatch[hidx]->setSrcMACAddress(rnfo.ii.mac);
-	}
-	hs->hostbatch[hidx]->setSourceSockAddr(&rnfo.srcaddr, sizeof(rnfo.srcaddr));
-	if (hidx == 0) /* Because later ones can have different src addy and be cut off group */
-	  o.decoys[o.decoyturn] = hs->hostbatch[hidx]->v4source();
-	hs->hostbatch[hidx]->setDeviceNames(rnfo.ii.devname, rnfo.ii.devfullname);
-	//	  printf("Target %s %s directly connected, goes through local iface %s, which %s ethernet\n", hs->hostbatch[hidx]->NameIP(), hs->hostbatch[hidx]->directlyConnected()? "IS" : "IS NOT", hs->hostbatch[hidx]->deviceName(), (hs->hostbatch[hidx]->ifType() == devt_ethernet)? "IS" : "IS NOT");
-      }
-      
-
-      /* In some cases, we can only allow hosts that use the same
-	 device in a group.  Similarly, we don't mix
-	 directly-connected boxes with those that aren't */
-      if (o.af() == AF_INET && o.isr00t && hidx > 0 && 
-	  hs->hostbatch[hidx]->deviceName() && 
-	  (hs->hostbatch[hidx]->v4source().s_addr != hs->hostbatch[0]->v4source().s_addr || 
-	   strcmp(hs->hostbatch[0]->deviceName(), 
-		  hs->hostbatch[hidx]->deviceName()) != 0 
-	  || hs->hostbatch[hidx]->directlyConnected() != hs->hostbatch[0]->directlyConnected())) {
-	/* Cancel everything!  This guy must go in the next group and we are
-	   out of here */
-	hs->current_expression.return_last_host();
-	delete hs->hostbatch[hidx];
-	goto batchfull;
-      }
-      hs->current_batch_sz++;
-}
-
-  if (hs->current_batch_sz < hs->max_batch_sz &&
-      hs->next_expression < hs->num_expressions) {
-    /* We are going to have to pop in another expression. */
-    while(hs->current_expression.parse_expr(hs->target_expressions[hs->next_expression++], o.af()) != 0) 
-      if (hs->next_expression >= hs->num_expressions)
-	break;
-  } else break;
-} while(1);
-
- batchfull:
- 
-if (hs->current_batch_sz == 0)
-  return NULL;
-
-/* OK, now we have our complete batch of entries.  The next step is to
-   randomize them (if requested) */
-if (hs->randomize) {
-  hoststructfry(hs->hostbatch, hs->current_batch_sz);
-}
-
-/* First I'll do the ARP ping if all of the machines in the group are
-   directly connected over ethernet.  I may need the MAC addresses
-   later anyway. */
- if (hs->hostbatch[0]->ifType() == devt_ethernet && 
-     hs->hostbatch[0]->directlyConnected() && 
-     o.sendpref != PACKET_SEND_IP_STRONG) {
-   arpping(hs->hostbatch, hs->current_batch_sz, ports);
-   arpping_done = true;
- }
- 
- gettimeofday(&now, NULL);
- if ((o.sendpref & PACKET_SEND_ETH) && 
-     hs->hostbatch[0]->ifType() == devt_ethernet) {
-   for(i=0; i < hs->current_batch_sz; i++)
-     if (!(hs->hostbatch[i]->flags & HOST_DOWN) && 
-	 !hs->hostbatch[i]->timedOut(&now))
-       if (!setTargetNextHopMAC(hs->hostbatch[i]))
-	 fatal("%s: Failed to determine dst MAC address for target %s", 
-	       __FUNCTION__, hs->hostbatch[hidx]->NameIP());
- }
-
- /* TODO: Maybe I should allow real ping scan of directly connected
-    ethernet hosts? */
- /* Then we do the mass ping (if required - IP-level pings) */
- if ((*pingtype == PINGTYPE_NONE && !arpping_done) || hs->hostbatch[0]->ifType() == devt_loopback) {
-   for(i=0; i < hs->current_batch_sz; i++)  {
-     if (!hs->hostbatch[i]->timedOut(&now)) {
-       initialize_timeout_info(&hs->hostbatch[i]->to);
-       hs->hostbatch[i]->flags |= HOST_UP; /*hostbatch[i].up = 1;*/
-     }
-   }
- } else if (!arpping_done)
-   if (*pingtype & PINGTYPE_ARP) /* A host that we can't arp scan ... maybe localhost */
-     massping(hs->hostbatch, hs->current_batch_sz, ports, DEFAULT_PING_TYPES);
-   else
-     massping(hs->hostbatch, hs->current_batch_sz, ports, *pingtype);
- 
- if (!o.noresolve) nmap_mass_rdns(hs->hostbatch, hs->current_batch_sz);
- 
- return hs->hostbatch[hs->next_batch_no++];
-}
-
-
-void massping(Target *hostbatch[], int num_hosts, 
-              struct scan_lists *ports, int pingtype) {
-static struct timeout_info to = {0,0,0};
-static double gsize = (double) LOOKAHEAD;
-int hostnum;
-struct pingtune pt;
-struct scanstats ss;
-struct timeval begin_select;
-struct pingtech ptech;
-struct tcpqueryinfo tqi;
-int max_block_size = 70;
-struct ppkt {
-  unsigned char type;
-  unsigned char code;
-  unsigned short checksum;
-  unsigned short id;
-  unsigned short seq;
-};
-int elapsed_time;
-int blockinc;
-int probes_per_host = 0; /* Number of probes done for each host (eg
-                            ping packet plus two TCP ports would be 3) */
-int sd_blocking = 1;
-struct sockaddr_in sock;
-u16 seq = 0;
-int sd = -1, rawsd = -1, rawpingsd = -1;
-eth_t *ethsd = NULL;
-struct timeval *time;
-struct timeval start, end;
-unsigned short id;
-pcap_t *pd = NULL;
-char filter[512];
-unsigned short sportbase;
-int max_sockets = 0;
-int p;
-int group_start, group_end, direction; /* For going forward or backward through
-					       grouplen */
-memset((char *)&ptech, 0, sizeof(ptech));
-
-memset((char *) &pt, 0, sizeof(pt)); 
-
-pt.up_this_block = 0;
-pt.block_unaccounted = LOOKAHEAD;
-pt.down_this_block = 0;
-pt.num_responses = 0;
-pt.max_tries = 5; /* Maximum number of tries for a block */
-pt.group_start = 0;
-pt.block_tries = 0; /* How many tries this block has gone through */
-pt.seq_offset = get_random_u16(); // For distinguishing between received packets from this execution vs. concurrent nmaps
-
-/* What port should we send from? */
-if (o.magic_port_set) sportbase = o.magic_port;
-else sportbase = o.magic_port + 20;
-
-/* What kind of scans are we doing? */
- if ((pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS)) && 
-     hostbatch[0]->v4source().s_addr) 
-  ptech.rawicmpscan = 1;
-else if (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS)) 
-  ptech.icmpscan = 1;
-if (pingtype & PINGTYPE_UDP) 
-  ptech.rawudpscan = 1;
-if (pingtype & PINGTYPE_TCP) {
-  if (o.isr00t && o.af() == AF_INET)
-    ptech.rawtcpscan = 1;
-  else ptech.connecttcpscan = 1;
-}
-
- probes_per_host = 0;
- if (pingtype & PINGTYPE_ICMP_PING) probes_per_host++;
- if (pingtype & PINGTYPE_ICMP_MASK) probes_per_host++;
- if (pingtype & PINGTYPE_ICMP_TS) probes_per_host++;
- probes_per_host += o.num_ping_synprobes + o.num_ping_ackprobes + o.num_ping_udpprobes;
-
-pt.min_group_size = MAX(3, MAX(o.min_parallelism, 16) / probes_per_host);
-
- /* I think max_parallelism mostly relates to # of probes in parallel against
-    a single machine.  So I only use it to go down to 15 here */
-pt.group_size = (o.max_parallelism)? MIN(MAX(o.max_parallelism,15), gsize) : gsize;
-/* Make sure we have at least the minimum parallelism level */
-pt.group_size = MAX(pt.group_size, o.min_parallelism);
-/* Reduce the group size proportionally to number of probes sent per host */
-pt.group_size = MAX(pt.min_group_size, 0.9999 + pt.group_size / probes_per_host);
-max_block_size /= probes_per_host;
-
-/* TODO: I need to move ping scanning to ultra_scan or fix this
-   function to handle scan_delay the way ultra scan does (limit the
-   amount of time between probes sent to the SAME machine.  This func
-   does the opposite -- sends same-box probes immediately and waits to
-   go on to the next machine. */
- if (o.scan_delay > 1000) {
-   pt.group_size = max_block_size = 1;
- }
-
-time = (struct timeval *) safe_zalloc(sizeof(struct timeval) * ((pt.max_tries) * num_hosts));
-id = (unsigned short) get_random_uint();
-
-if (ptech.connecttcpscan)  {
-  /* I think max_parallelism mostly relates to # of probes in parallel against
-      a given machine.  So I won't go below 15 here because of it */
-  max_sockets = MAX(1, max_sd() - 4);
-  if (o.max_parallelism) {
-    max_block_size = MIN(50, MAX(o.max_parallelism, 15) / probes_per_host);
-  } else {
-    max_block_size = MIN(50, max_sockets / probes_per_host);
-  }
-  max_block_size = MAX(1, max_block_size);
-  if (o.scan_delay > 1000)
-    max_block_size = 1;
-  pt.group_size = MIN(pt.group_size, max_block_size);
-  memset((char *)&tqi, 0, sizeof(tqi));
-
-  for(p=0; p < o.num_ping_synprobes; p++) {
-    tqi.sockets[p] = (int *) safe_malloc(sizeof(int) * (pt.max_tries) * num_hosts);
-    memset(tqi.sockets[p], 255, sizeof(int) * (pt.max_tries) * num_hosts);
-  }
-  FD_ZERO(&(tqi.fds_r));
-  FD_ZERO(&(tqi.fds_w));
-  FD_ZERO(&(tqi.fds_x));
-  tqi.sockets_out = 0;
-  tqi.maxsd = 0;
-}
-
-if (ptech.icmpscan) {
-  sd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
-  if (sd < 0) pfatal("Socket trouble in massping"); 
-  unblock_socket(sd);
-#ifndef WIN32
-  sethdrinclude(sd);
-#endif
-  sd_blocking = 0;
-  if (num_hosts > 10)
-    max_rcvbuf(sd);
-  broadcast_socket(sd);
-} else sd = -1;
-
-
-/* if to timeout structure hasn't been initialized yet */
-if (!to.srtt && !to.rttvar && !to.timeout) {
-  /*  to.srtt = 800000;
-      to.rttvar = 500000; */ /* we will init these when we get real data */
-  initialize_timeout_info(&to);
-}
-
-/* Init our raw socket */
-if (o.numdecoys > 1 || ptech.rawtcpscan || ptech.rawicmpscan || ptech.rawudpscan) {
-	if ((o.sendpref & PACKET_SEND_ETH) && hostbatch[0]->ifType() == devt_ethernet) {
-		/* We'll send ethernet packets with dnet */
-		ethsd = eth_open(hostbatch[0]->deviceName());
-		if (ethsd == NULL)
-			fatal("dnet: Failed to open device %s", hostbatch[0]->deviceName());
-		rawsd = -1; rawpingsd = -1;
-	} else {
-  if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
-    pfatal("socket trobles in massping");
-  broadcast_socket(rawsd);
-#ifndef WIN32
-  sethdrinclude(rawsd);
-#endif
-
-  if ((rawpingsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
-    pfatal("socket trobles in massping");
-  broadcast_socket(rawpingsd);
-#ifndef WIN32
-  sethdrinclude(rawpingsd);
-#endif
-}
-} else { rawsd = -1; rawpingsd = -1; }
-
-if (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan) {
-  /* we need a pcap descript0r! */
-  /* MAX snaplen needed = 
-     24 bytes max link_layer header
-     64 bytes max IPhdr
-     16 bytes of the TCP header
-     ---
-   = 104 byte snaplen */
-  pd = my_pcap_open_live(hostbatch[0]->deviceName(), 104, o.spoofsource, 20);
-
-  snprintf(filter, sizeof(filter), "(icmp and dst host %s) or ((tcp or udp) and dst host %s and ( dst port %d or dst port %d or dst port %d or dst port %d or dst port %d))", 
-	   inet_ntoa(hostbatch[0]->v4source()),
-	   inet_ntoa(hostbatch[0]->v4source()),
-	   sportbase , sportbase + 1, sportbase + 2, sportbase + 3, 
-	   sportbase + 4);
-
-  set_pcap_filter(hostbatch[0]->deviceName(), pd, filter); 
-}
-
- blockinc = (int) (0.9999 + 8.0 / probes_per_host);
-
-memset((char *)&sock,0,sizeof(sock));
-gettimeofday(&start, NULL);
-
- pt.group_end = (int) MIN(pt.group_start + pt.group_size -1, num_hosts -1);
- 
- while(pt.group_start < num_hosts) { /* while we have hosts left to scan */
-   do { /* one block */
-     pt.up_this_block = 0;
-     pt.down_this_block = 0;
-     pt.block_unaccounted = 0;
-
-     /* Sometimes a group gets too big for the network path and a
-        router (especially things like cable/DSL modems) will drop our
-        packets after a certain number have been sent.  If we just
-        retry the exact same group, we are likely to get exactly the
-        same behavior (missing later hosts).  So we reverse the order
-        for each try */
-     direction = (pt.block_tries % 2 == 0)? 1 : -1;
-     if (direction == 1) { group_start = pt.group_start; group_end = pt.group_end; }
-     else { group_start = pt.group_end; group_end = pt.group_start; }
-     for(hostnum = group_start; hostnum != group_end + direction; hostnum += direction) {      
-       /* If (we don't know whether the host is up yet) ... */
-       if (!(hostbatch[hostnum]->flags & HOST_UP) && !hostbatch[hostnum]->wierd_responses && !(hostbatch[hostnum]->flags & HOST_DOWN)) {  
-	 /* Send a ping queries to it */
-	 seq = hostnum * pt.max_tries + pt.block_tries + pt.seq_offset;
-	 if (ptech.icmpscan && !sd_blocking) { 
-	   block_socket(sd); sd_blocking = 1; 
-	 }
-	 pt.block_unaccounted++;
-	 gettimeofday(&time[(seq - pt.seq_offset) & 0xFFFF], NULL);
-
-	 if (ptech.icmpscan || ptech.rawicmpscan)
-	   sendpingqueries(sd, rawpingsd, ethsd, hostbatch[hostnum],  
-			   seq, id, &ss, time, pingtype, ptech);
-       
-	 if (ptech.rawtcpscan || ptech.rawudpscan) 
-	   sendrawtcpudppingqueries(rawsd, ethsd, hostbatch[hostnum], pingtype, seq, time, &pt);
-
-	 else if (ptech.connecttcpscan) {
-	   sendconnecttcpqueries(hostbatch, &tqi, hostbatch[hostnum], seq, time, &pt, &to, max_sockets);
-	 }
-       }
-     } /* for() loop */
-     /* OK, we have sent our ping packets ... now we wait for responses */
-     gettimeofday(&begin_select, NULL);
-     do {
-       if (ptech.icmpscan && sd_blocking ) { 
-	 unblock_socket(sd); sd_blocking = 0; 
-       }
-       if(ptech.icmpscan || ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan) {       
-	 get_ping_results(sd, pd, hostbatch, pingtype, time, &pt, &to, id, 
-			  &ptech, ports);
-       }
-       if (ptech.connecttcpscan) {
-	 get_connecttcpscan_results(&tqi, hostbatch, time, &pt, &to);
-       }
-       gettimeofday(&end, NULL);
-       elapsed_time = TIMEVAL_SUBTRACT(end, begin_select);
-     } while( elapsed_time < to.timeout);
-     /* try again if a new box was found but some are still unaccounted for and
-	we haven't run out of retries.  Always retry at least once.
-     */
-     pt.dropthistry = 0;
-     pt.block_tries++;
-   } while ((pt.up_this_block > 0 || pt.block_tries == 1) && pt.block_unaccounted > 0 && pt.block_tries < pt.max_tries);
-
-   if (o.debugging)
-     log_write(LOG_STDOUT, "Finished block: srtt: %d rttvar: %d timeout: %d block_tries: %d up_this_block: %d down_this_block: %d group_sz: %d\n", to.srtt, to.rttvar, to.timeout, pt.block_tries, pt.up_this_block, pt.down_this_block, pt.group_end - pt.group_start + 1);
-
-   if (pt.block_tries == 2 && pt.up_this_block == 0 && pt.down_this_block == 0)
-     /* Then it did not miss any hosts (that we know of)*/
-       pt.group_size = MIN(pt.group_size + blockinc, max_block_size);
-   
-   /* Move to next block */
-   pt.block_tries = 0;
-   pt.group_start = pt.group_end +1;
-   pt.group_end = (int) MIN(pt.group_start + pt.group_size -1, num_hosts -1);
-   /*   pt.block_unaccounted = pt.group_end - pt.group_start + 1;   */
- }
-
- if (sd >= 0) close(sd);
- if (ptech.connecttcpscan)
-   for(p=0; p < o.num_ping_synprobes; p++)
-     free(tqi.sockets[p]);
- if (sd >= 0) close(sd);
- if (rawsd >= 0) close(rawsd);
- if (rawpingsd >= 0) close(rawpingsd);
- if (ethsd) eth_close(ethsd);
- free(time);
- if (pd) pcap_close(pd);
- if (o.debugging) 
-   log_write(LOG_STDOUT, "massping done:  num_hosts: %d  num_responses: %d\n", num_hosts, pt.num_responses);
- gsize = pt.group_size;
- return;
-}
-
-int sendconnecttcpqueries(Target *hostbatch[], struct tcpqueryinfo *tqi,
-			Target *target, u16 seq, 
-			struct timeval *time, struct pingtune *pt, 
-			struct timeout_info *to, int max_sockets) {
-  int i;
-
-  for( i=0; i<o.num_ping_synprobes; i++ ) {
-    if (i > 0 && o.scan_delay) enforce_scan_delay(NULL);
-    sendconnecttcpquery(hostbatch, tqi, target, i, seq, time, pt, to, max_sockets);
-  }
-
-  return 0;
-}
-
-int sendconnecttcpquery(Target *hostbatch[], struct tcpqueryinfo *tqi,
-			Target *target, int probe_port_num, u16 seq, 
-			struct timeval *time, struct pingtune *pt, 
-			struct timeout_info *to, int max_sockets) {
-
-  int res,sock_err,i;
-  int tmpsd;
-  int hostnum, trynum;
-  struct sockaddr_storage sock;
-  struct sockaddr_in *sin = (struct sockaddr_in *) &sock;
-  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &sock;
-  size_t socklen;
-  
-  seq -= pt->seq_offset; // Because connect() pingscan doesn't send it over the wire
-  trynum = seq % pt->max_tries;
-  hostnum = seq / pt->max_tries;
-
-  assert(tqi->sockets_out <= max_sockets);
-  if (tqi->sockets_out == max_sockets) {
-    /* We've got to free one! */
-    for(i=0; i < trynum; i++) {
-      tmpsd = hostnum * pt->max_tries + i;
-      if (tqi->sockets[probe_port_num][tmpsd] >= 0) {
-	if (o.debugging) 
-	  log_write(LOG_STDOUT, "sendconnecttcpquery: Scavenging a free socket due to serious shortage\n");
-	close(tqi->sockets[probe_port_num][tmpsd]);
-	tqi->sockets[probe_port_num][tmpsd] = -1;
-	tqi->sockets_out--;
-	break;
-      }
-    }
-    if (i == trynum)
-      fatal("sendconnecttcpquery: Could not scavenge a free socket!");
-  }
-    
-  /* Since we know we now have a free s0cket, lets take it */
-  assert(tqi->sockets[probe_port_num][seq] == -1);
-  tqi->sockets[probe_port_num][seq] =  socket(o.af(), SOCK_STREAM, IPPROTO_TCP);
-  if (tqi->sockets[probe_port_num][seq] == -1) 
-    fatal("Socket creation in sendconnecttcpquery");
-  tqi->maxsd = MAX(tqi->maxsd, tqi->sockets[probe_port_num][seq]);
-  tqi->sockets_out++;
-  unblock_socket(tqi->sockets[probe_port_num][seq]);
-  init_socket(tqi->sockets[probe_port_num][seq]);
-
-  if (target->TargetSockAddr(&sock, &socklen) != 0)
-    fatal("Unable to get target sock in sendconnecttcpquery");
-
-  if (sin->sin_family == AF_INET)
-    sin->sin_port = htons(o.ping_synprobes[probe_port_num]);
-#if HAVE_IPV6
-  else sin6->sin6_port = htons(o.ping_synprobes[probe_port_num]);
-#endif //HAVE_IPV6
-
-  res = connect(tqi->sockets[probe_port_num][seq],(struct sockaddr *)&sock, socklen);
-  sock_err = socket_errno();
-
-  if ((res != -1 || sock_err == ECONNREFUSED)) {
-    /* This can happen on localhost, successful/failing connection immediately
-       in non-blocking mode */
-      hostupdate(hostbatch, target, HOST_UP, 1, trynum, to, 
-		 &time[seq], NULL, pt, tqi, pingstyle_connecttcp);
-    if (tqi->maxsd == tqi->sockets[probe_port_num][seq]) tqi->maxsd--;
-  }
-  else if (sock_err == ENETUNREACH) {
-    if (o.debugging) 
-      error("Got ENETUNREACH from sendconnecttcpquery connect()");
-    hostupdate(hostbatch, target, HOST_DOWN, 1, trynum, to, 
-	       &time[seq], NULL, pt, tqi, pingstyle_connecttcp);
-  }
-  else {
-    /* We'll need to select() and wait it out */
-    FD_SET(tqi->sockets[probe_port_num][seq], &(tqi->fds_r));
-    FD_SET(tqi->sockets[probe_port_num][seq], &(tqi->fds_w));
-    FD_SET(tqi->sockets[probe_port_num][seq], &(tqi->fds_x));
-  }
-return 0;
-}
-
-int sendrawtcpudppingqueries(int rawsd, eth_t *ethsd, Target *target, int pingtype, u16 seq, 
-			  struct timeval *time, struct pingtune *pt) {
-  int i;
-  struct eth_nfo eth;
-  struct eth_nfo *ethptr = NULL;
-
-  if (ethsd) {
-	  memcpy(eth.srcmac, target->SrcMACAddress(), 6);
-	  memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
-	  eth.ethsd = ethsd;
-	  eth.devname[0] = '\0';
-	  ethptr = &eth;
-  } else ethptr = NULL;
-
-  if (pingtype & PINGTYPE_UDP) {
-    for( i=0; i<o.num_ping_udpprobes; i++ ) {
-      if (i > 0 && o.scan_delay) enforce_scan_delay(NULL);
-      sendrawudppingquery(rawsd, ethptr, target, o.ping_udpprobes[i], seq, time, pt);
-    }
-  }
-
-  if (pingtype & PINGTYPE_TCP_USE_ACK) {
-    for( i=0; i<o.num_ping_ackprobes; i++ ) {
-      if (i > 0 && o.scan_delay) enforce_scan_delay(NULL);
-      sendrawtcppingquery(rawsd, ethptr, target, PINGTYPE_TCP_USE_ACK, o.ping_ackprobes[i], seq, time, pt);
-    }
-  }
-
-  if (pingtype & PINGTYPE_TCP_USE_SYN) {
-    for( i=0; i<o.num_ping_synprobes; i++ ) {
-      if (i > 0 && o.scan_delay) enforce_scan_delay(NULL);
-      sendrawtcppingquery(rawsd, ethptr, target, PINGTYPE_TCP_USE_SYN, o.ping_synprobes[i], seq, time, pt);
-    }
-  }
-
-  return 0;
-}
-
-int sendrawudppingquery(int rawsd, struct eth_nfo *eth, Target *target, u16 probe_port,
-			u16 seq, struct timeval *time, struct pingtune *pt) {
-int trynum = 0;
-unsigned short sportbase;
-
-if (o.magic_port_set) sportbase = o.magic_port;
-else { 
-  sportbase = o.magic_port + 20;
-  trynum = seq % pt->max_tries;
-}
-
- o.decoys[o.decoyturn].s_addr = target->v4source().s_addr;
- 
- send_udp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, seq, o.extra_payload, o.extra_payload_length);
-
-
- return 0;
-}
-
-int sendrawtcppingquery(int rawsd, struct eth_nfo *eth, Target *target, int pingtype, u16 probe_port,
-			u16 seq, struct timeval *time, struct pingtune *pt) {
-int trynum = 0;
-int myseq;
-unsigned short sportbase;
-unsigned long myack;
-
-if (o.magic_port_set) sportbase = o.magic_port;
-else { 
-  sportbase = o.magic_port + 20;
-  trynum = seq % pt->max_tries;
-}
-
- myseq = (get_random_uint() << 22) + (seq << 6) + 0x1E; /* (response & 0x3F) better be 0x1E or 0x1F */
- myack = (get_random_uint() << 22) + (seq << 6) + 0x1E; /* (response & 0x3F) better be 0x1E or 0x1F */
- o.decoys[o.decoyturn].s_addr = target->v4source().s_addr;
-
- if (pingtype & PINGTYPE_TCP_USE_SYN) {   
-   send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_SYN, 0, (u8 *) "\x02\x04\x05\xb4", 4, o.extra_payload, 
-			o.extra_payload_length);
- } else {
-   send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_ACK, 0, NULL, 0, o.extra_payload, 
-			o.extra_payload_length);
- }
-
- return 0;
-}
-
-int sendpingqueries(int sd, int rawsd, eth_t *ethsd, Target *target,  
-		  u16 seq, unsigned short id, struct scanstats *ss, 
-		    struct timeval *time, int pingtype, struct pingtech ptech) {
-  if (pingtype & PINGTYPE_ICMP_PING) {
-    if (o.scan_delay) enforce_scan_delay(NULL);
-    sendpingquery(sd, rawsd, ethsd, target, seq, id, ss, time, PINGTYPE_ICMP_PING, ptech);
-  }
-  if (pingtype & PINGTYPE_ICMP_MASK) {
-    if (o.scan_delay) enforce_scan_delay(NULL);
-    sendpingquery(sd, rawsd, ethsd, target, seq, id, ss, time, PINGTYPE_ICMP_MASK, ptech);
-
-  }
-  if (pingtype & PINGTYPE_ICMP_TS) {
-    if (o.scan_delay) enforce_scan_delay(NULL);
-    sendpingquery(sd, rawsd, ethsd, target, seq, id, ss, time, PINGTYPE_ICMP_TS, ptech);
-  }
-
-  return 0;
-}
-
-int sendpingquery(int sd, int rawsd, eth_t *ethsd, Target *target,  
-		  u16 seq, unsigned short id, struct scanstats *ss, 
-		  struct timeval *time, int pingtype, struct pingtech ptech) {
-struct ppkt {
-  u8 type;
-  u8 code;
-  u16 checksum;
-  u16 id;
-  u16 seq;
-  u8 data[1500]; /* Note -- first 4-12 bytes can be used for ICMP header */
-} pingpkt;
-u32 *datastart = (u32 *) pingpkt.data;
-int datalen = sizeof(pingpkt.data); 
-int icmplen=0;
-int decoy;
-int res;
-struct sockaddr_in sock;
-struct eth_nfo eth;
-struct eth_nfo *ethptr = NULL;
-char *ping = (char *) &pingpkt;
-
-if (ethsd) {
-    memcpy(eth.srcmac, target->SrcMACAddress(), 6);
-    memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
-    eth.ethsd = ethsd;
-    eth.devname[0] = '\0';
-    ethptr = &eth;
-} else ethptr = NULL;
-
- if (pingtype & PINGTYPE_ICMP_PING) {
-   icmplen = 8; 
-   pingpkt.type = 8;
- }
- else if (pingtype & PINGTYPE_ICMP_MASK) {
-   icmplen = 12;
-   *datastart++ = 0;
-   datalen -= 4;
-   pingpkt.type = 17;
- }
- else if (pingtype & PINGTYPE_ICMP_TS) {   
-   icmplen = 20;
-   memset(datastart, 0, 12);
-   datastart += 12;
-   datalen -= 12;
-   pingpkt.type = 13;
- }
- else fatal("sendpingquery: unknown pingtype: %d", pingtype);
-
- if (o.extra_payload_length > 0) {
-   icmplen += MIN(datalen, o.extra_payload_length);
-   memset(datastart, 0, MIN(datalen, o.extra_payload_length));
- }
-/* Fill out the ping packet */
-
-pingpkt.code = 0;
-pingpkt.id = id;
-pingpkt.seq = seq;
-pingpkt.checksum = 0;
-pingpkt.checksum = in_cksum((unsigned short *)ping, icmplen);
-if ( o.badsum )
-  pingpkt.checksum--;
-
-
-/* Now for our sock */
-if (ptech.icmpscan) {
-  memset((char *)&sock, 0, sizeof(sock));
-  sock.sin_family= AF_INET;
-  sock.sin_addr = target->v4host();
-  
-  o.decoys[o.decoyturn].s_addr = target->v4source().s_addr;
-}
-
- for (decoy = 0; decoy < o.numdecoys; decoy++) {
-   if (ptech.icmpscan && decoy == o.decoyturn) {
-      int sock_err = 0;
-
-     /* FIXME: If EHOSTUNREACH (Windows does that) then we were
-	probably unable to obtain an arp response from the machine.
-	We should just consider the host down rather than ignoring
-	the error */
-     // Can't currently do the tracer because 'ping' has no IP header
-     //     PacketTrace::trace(PacketTrace::SENT, (u8 *) ping, icmplen); 
-     if ((res = sendto(sd,(char *) ping,icmplen,0,(struct sockaddr *)&sock,
-		       sizeof(struct sockaddr))) != icmplen && 
-                       (sock_err = socket_errno()) != EHOSTUNREACH
-#ifdef WIN32
-        // Windows (correctly) returns this if we scan an address that is
-        // known to be nonsensical (e.g. myip & mysubnetmask)
-	&& sock_err != WSAEADDRNOTAVAIL
-#endif 
-		       ) {
-       fprintf(stderr, "sendto in sendpingquery returned %d (should be 8)!\n", res);
-       fprintf(stderr, "sendto: %s\n", strerror(sock_err));
-     }
-   } else {
-     send_ip_raw( rawsd, ethptr, &o.decoys[decoy], target->v4hostip(), o.ttl, IPPROTO_ICMP, ping, icmplen);
-   }
- }
-
- return 0;
-}
-
-int get_connecttcpscan_results(struct tcpqueryinfo *tqi, 
-			       Target *hostbatch[], 
-			       struct timeval *time, struct pingtune *pt, 
-			       struct timeout_info *to) {
-
-int res, res2;
-int tm;
-struct timeval myto, start, end;
-int hostindex;
-int trynum, newstate = HOST_DOWN;
-int seq;
-int p;
-char buf[256];
-int foundsomething = 0;
-fd_set myfds_r,myfds_w,myfds_x;
-gettimeofday(&start, NULL);
- 
-while(pt->block_unaccounted) {
-  /* OK so there is a little fudge factor, SUE ME! */
-  myto.tv_sec  = to->timeout / 1000000; 
-  myto.tv_usec = to->timeout % 1000000;
-  foundsomething = 0;
-  myfds_r = tqi->fds_r;
-  myfds_w = tqi->fds_w;
-  myfds_x = tqi->fds_x;
-  res = select(tqi->maxsd + 1, &myfds_r, &myfds_w, &myfds_x, &myto);
-  if (res > 0) {
-    for(hostindex = pt->group_start; hostindex <= pt->group_end; hostindex++) {
-      for(trynum=0; trynum <= pt->block_tries; trynum++) {
-	seq = hostindex * pt->max_tries + trynum;
-	for(p=0; p < o.num_ping_synprobes; p++) {
-	  if (tqi->sockets[p][seq] >= 0) {
-	    if (o.debugging > 1) {
-	      if (FD_ISSET(tqi->sockets[p][seq], &(myfds_r))) {
-	        log_write(LOG_STDOUT, "WRITE selected for machine %s\n", hostbatch[hostindex]->targetipstr());  
-	      }
-	      if ( FD_ISSET(tqi->sockets[p][seq], &myfds_w)) {
-	        log_write(LOG_STDOUT, "READ selected for machine %s\n", hostbatch[hostindex]->targetipstr()); 
-	      }
-	      if  ( FD_ISSET(tqi->sockets[p][seq], &myfds_x)) {
-	        log_write(LOG_STDOUT, "EXC selected for machine %s\n", hostbatch[hostindex]->targetipstr());
-	      }
-	    }
-	    if (FD_ISSET(tqi->sockets[p][seq], &myfds_r) || FD_ISSET(tqi->sockets[p][seq], &myfds_w) ||  FD_ISSET(tqi->sockets[p][seq], &myfds_x)) {
-	      foundsomething = 0;
-	      res2 = recv(tqi->sockets[p][seq], buf, sizeof(buf) - 1, 0);
-	      if (res2 == -1) {
-  	        int sock_err = socket_errno();
-	        switch(sock_err) {
-	        case ECONNREFUSED:
-	        case EAGAIN:
-#ifdef WIN32
-			case WSAENOTCONN:
-#endif
-		  if (sock_err == EAGAIN && o.verbose) {
-		    log_write(LOG_STDOUT, "Machine %s MIGHT actually be listening on probe port %d\n", hostbatch[hostindex]->targetipstr(), o.ping_synprobes[p]);
-		  }
-		  foundsomething = 1;
-		  newstate = HOST_UP;	
-		  break;
-	        case ENETDOWN:
-	        case ENETUNREACH:
-	        case ENETRESET:
-	        case ECONNABORTED:
-	        case ETIMEDOUT:
-	        case EHOSTDOWN:
-	        case EHOSTUNREACH:
-		  foundsomething = 1;
-		  newstate = HOST_DOWN;
-		  break;
-	        default:
-		  snprintf (buf, sizeof(buf), "Strange read error from %s", hostbatch[hostindex]->targetipstr());
-		  fprintf(stderr, "%s: %s\n", buf, strerror(sock_err));
-		  break;
-	        }
-	      } else { 
-	        foundsomething = 1;
-	        newstate = HOST_UP;
-	        if (o.verbose) {	      
-		    log_write(LOG_STDOUT, "Machine %s is actually LISTENING on probe port %d\n",
-			   hostbatch[hostindex]->targetipstr(), 
-			   o.ping_synprobes[p]);
-	        }
-	      }
-	      if (foundsomething) {
-	        hostupdate(hostbatch, hostbatch[hostindex], newstate, 1, trynum,
-			 to,  &time[seq], NULL, pt, tqi, pingstyle_connecttcp);
-	      /*	      break;*/
-	      }
-	    }
-	  }
+      } 
+      /* For ranges we need to be a little more slick, if we don't find a match
+       * we should skip the rest of the addrs in the octet, thank wam for this
+       * optimization */
+      else if (targets_type == TargetGroup::IPV4_RANGES) {
+        if (tmpTarget == checkhost->sin_addr.s_addr) {
+          exclude_group[i].rewind();
+          return 1;
+        }
+        else { /* note these are in network byte order */
+	  if ((tmpTarget & 0x000000ff) != (checkhost->sin_addr.s_addr & 0x000000ff))
+            exclude_group[i].skip_range(TargetGroup::FIRST_OCTET); 
+	  else if ((tmpTarget & 0x0000ff00) != (checkhost->sin_addr.s_addr & 0x0000ff00))
+            exclude_group[i].skip_range(TargetGroup::SECOND_OCTET); 
+	  else if ((tmpTarget & 0x00ff0000) != (checkhost->sin_addr.s_addr & 0x00ff0000))
+            exclude_group[i].skip_range(TargetGroup::THIRD_OCTET); 
+
+          continue;
         }
       }
-    }
-  }
-  gettimeofday(&end, NULL);
-  tm = TIMEVAL_SUBTRACT(end,start);  
-  if (tm > (30 * to->timeout)) {
-    error("WARNING: getconnecttcpscanresults is taking way too long, skipping");
-    break;
-  }
-  if (res == 0 &&  tm > to->timeout) break; 
-}
-
-/* OK, now we have to kill all outstanding queries to make room for
-   the next group :( I'll miss these little guys. */
- for(hostindex = pt->group_start; hostindex <= pt->group_end; hostindex++) { 
-      for(trynum=0; trynum <= pt->block_tries; trynum++) {
-	seq = hostindex * pt->max_tries + trynum;
-	for(p=0; p < o.num_ping_synprobes; p++) {
-	  if ( tqi->sockets[p][seq] >= 0) {
-	    tqi->sockets_out--;
-	    close(tqi->sockets[p][seq]);
-	    tqi->sockets[p][seq] = -1;
-	  }
-	}
+#if HAVE_IPV6
+      else if (targets_type == TargetGroup::IPV6_ADDRESS) {
+        fatal("exclude file not supported for IPV6 -- If it is important to you, send a mail to fyodor@insecure.org so I can guage support\n");
       }
- }
- tqi->maxsd = 0;
- assert(tqi->sockets_out == 0);
- FD_ZERO(&(tqi->fds_r));
- FD_ZERO(&(tqi->fds_w));
- FD_ZERO(&(tqi->fds_x));
-	 
-return 0;
+#endif
+    }
+    exclude_group[i++].rewind();
+  }
+
+  /* we did not find the host */
+  return 0;
 }
 
 
-int get_ping_results(int sd, pcap_t *pd, Target *hostbatch[], int pingtype, 
-		     struct timeval *time,  struct pingtune *pt, 
-		     struct timeout_info *to, int id, struct pingtech *ptech, 
-		     struct scan_lists *ports) {
+static int get_ping_results(int sd, pcap_t *pd, Target *hostbatch[], 
+			    int pingtype, struct timeval *time,
+			    struct pingtune *pt, struct timeout_info *to, 
+			    int id, struct pingtech *ptech, 
+			    struct scan_lists *ports) {
   fd_set fd_r, fd_x;
   struct timeval myto, tmpto, start, rcvdtime;
   unsigned int bytes;
@@ -1568,20 +794,435 @@ int get_ping_results(int sd, pcap_t *pd, Target *hostbatch[], int pingtype,
   return 0;
 }
 
-char *readhoststate(int state) {
-  switch(state) {
-  case HOST_UP:
-    return "HOST_UP";
-  case HOST_DOWN:
-    return "HOST_DOWN";
-  case HOST_FIREWALLED:
-    return "HOST_FIREWALLED";
-  default:
-    return "UNKNOWN/COMBO";
+
+static int sendconnecttcpquery(Target *hostbatch[], struct tcpqueryinfo *tqi,
+			Target *target, int probe_port_num, u16 seq, 
+			struct timeval *time, struct pingtune *pt, 
+			struct timeout_info *to, int max_sockets) {
+
+  int res,sock_err,i;
+  int tmpsd;
+  int hostnum, trynum;
+  struct sockaddr_storage sock;
+  struct sockaddr_in *sin = (struct sockaddr_in *) &sock;
+  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &sock;
+  size_t socklen;
+  
+  seq -= pt->seq_offset; // Because connect() pingscan doesn't send it over the wire
+  trynum = seq % pt->max_tries;
+  hostnum = seq / pt->max_tries;
+
+  assert(tqi->sockets_out <= max_sockets);
+  if (tqi->sockets_out == max_sockets) {
+    /* We've got to free one! */
+    for(i=0; i < trynum; i++) {
+      tmpsd = hostnum * pt->max_tries + i;
+      if (tqi->sockets[probe_port_num][tmpsd] >= 0) {
+	if (o.debugging) 
+	  log_write(LOG_STDOUT, "sendconnecttcpquery: Scavenging a free socket due to serious shortage\n");
+	close(tqi->sockets[probe_port_num][tmpsd]);
+	tqi->sockets[probe_port_num][tmpsd] = -1;
+	tqi->sockets_out--;
+	break;
+      }
+    }
+    if (i == trynum)
+      fatal("sendconnecttcpquery: Could not scavenge a free socket!");
   }
-  return NULL;
+    
+  /* Since we know we now have a free s0cket, lets take it */
+  assert(tqi->sockets[probe_port_num][seq] == -1);
+  tqi->sockets[probe_port_num][seq] =  socket(o.af(), SOCK_STREAM, IPPROTO_TCP);
+  if (tqi->sockets[probe_port_num][seq] == -1) 
+    fatal("Socket creation in sendconnecttcpquery");
+  tqi->maxsd = MAX(tqi->maxsd, tqi->sockets[probe_port_num][seq]);
+  tqi->sockets_out++;
+  unblock_socket(tqi->sockets[probe_port_num][seq]);
+  init_socket(tqi->sockets[probe_port_num][seq]);
+
+  if (target->TargetSockAddr(&sock, &socklen) != 0)
+    fatal("Unable to get target sock in sendconnecttcpquery");
+
+  if (sin->sin_family == AF_INET)
+    sin->sin_port = htons(o.ping_synprobes[probe_port_num]);
+#if HAVE_IPV6
+  else sin6->sin6_port = htons(o.ping_synprobes[probe_port_num]);
+#endif //HAVE_IPV6
+
+  res = connect(tqi->sockets[probe_port_num][seq],(struct sockaddr *)&sock, socklen);
+  sock_err = socket_errno();
+
+  if ((res != -1 || sock_err == ECONNREFUSED)) {
+    /* This can happen on localhost, successful/failing connection immediately
+       in non-blocking mode */
+      hostupdate(hostbatch, target, HOST_UP, 1, trynum, to, 
+		 &time[seq], NULL, pt, tqi, pingstyle_connecttcp);
+    if (tqi->maxsd == tqi->sockets[probe_port_num][seq]) tqi->maxsd--;
+  }
+  else if (sock_err == ENETUNREACH) {
+    if (o.debugging) 
+      error("Got ENETUNREACH from sendconnecttcpquery connect()");
+    hostupdate(hostbatch, target, HOST_DOWN, 1, trynum, to, 
+	       &time[seq], NULL, pt, tqi, pingstyle_connecttcp);
+  }
+  else {
+    /* We'll need to select() and wait it out */
+    FD_SET(tqi->sockets[probe_port_num][seq], &(tqi->fds_r));
+    FD_SET(tqi->sockets[probe_port_num][seq], &(tqi->fds_w));
+    FD_SET(tqi->sockets[probe_port_num][seq], &(tqi->fds_x));
+  }
+return 0;
 }
 
+static int sendconnecttcpqueries(Target *hostbatch[], struct tcpqueryinfo *tqi,
+			Target *target, u16 seq, 
+			struct timeval *time, struct pingtune *pt, 
+			struct timeout_info *to, int max_sockets) {
+  int i;
+
+  for( i=0; i<o.num_ping_synprobes; i++ ) {
+    if (i > 0 && o.scan_delay) enforce_scan_delay(NULL);
+    sendconnecttcpquery(hostbatch, tqi, target, i, seq, time, pt, to, max_sockets);
+  }
+
+  return 0;
+}
+
+int sendrawudppingquery(int rawsd, struct eth_nfo *eth, Target *target, u16 probe_port,
+			u16 seq, struct timeval *time, struct pingtune *pt) {
+int trynum = 0;
+unsigned short sportbase;
+
+if (o.magic_port_set) sportbase = o.magic_port;
+else { 
+  sportbase = o.magic_port + 20;
+  trynum = seq % pt->max_tries;
+}
+
+ o.decoys[o.decoyturn].s_addr = target->v4source().s_addr;
+ 
+ send_udp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, seq, o.extra_payload, o.extra_payload_length);
+
+
+ return 0;
+}
+
+int sendrawtcppingquery(int rawsd, struct eth_nfo *eth, Target *target, int pingtype, u16 probe_port,
+			u16 seq, struct timeval *time, struct pingtune *pt) {
+int trynum = 0;
+int myseq;
+unsigned short sportbase;
+unsigned long myack;
+
+if (o.magic_port_set) sportbase = o.magic_port;
+else { 
+  sportbase = o.magic_port + 20;
+  trynum = seq % pt->max_tries;
+}
+
+ myseq = (get_random_uint() << 22) + (seq << 6) + 0x1E; /* (response & 0x3F) better be 0x1E or 0x1F */
+ myack = (get_random_uint() << 22) + (seq << 6) + 0x1E; /* (response & 0x3F) better be 0x1E or 0x1F */
+ o.decoys[o.decoyturn].s_addr = target->v4source().s_addr;
+
+ if (pingtype & PINGTYPE_TCP_USE_SYN) {   
+   send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_SYN, 0, (u8 *) "\x02\x04\x05\xb4", 4, o.extra_payload, 
+			o.extra_payload_length);
+ } else {
+   send_tcp_raw_decoys( rawsd, eth, target->v4hostip(), o.ttl, sportbase + trynum, probe_port, myseq, myack, TH_ACK, 0, NULL, 0, o.extra_payload, 
+			o.extra_payload_length);
+ }
+
+ return 0;
+}
+
+int sendrawtcpudppingqueries(int rawsd, eth_t *ethsd, Target *target, int pingtype, u16 seq, 
+			  struct timeval *time, struct pingtune *pt) {
+  int i;
+  struct eth_nfo eth;
+  struct eth_nfo *ethptr = NULL;
+
+  if (ethsd) {
+	  memcpy(eth.srcmac, target->SrcMACAddress(), 6);
+	  memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
+	  eth.ethsd = ethsd;
+	  eth.devname[0] = '\0';
+	  ethptr = &eth;
+  } else ethptr = NULL;
+
+  if (pingtype & PINGTYPE_UDP) {
+    for( i=0; i<o.num_ping_udpprobes; i++ ) {
+      if (i > 0 && o.scan_delay) enforce_scan_delay(NULL);
+      sendrawudppingquery(rawsd, ethptr, target, o.ping_udpprobes[i], seq, time, pt);
+    }
+  }
+
+  if (pingtype & PINGTYPE_TCP_USE_ACK) {
+    for( i=0; i<o.num_ping_ackprobes; i++ ) {
+      if (i > 0 && o.scan_delay) enforce_scan_delay(NULL);
+      sendrawtcppingquery(rawsd, ethptr, target, PINGTYPE_TCP_USE_ACK, o.ping_ackprobes[i], seq, time, pt);
+    }
+  }
+
+  if (pingtype & PINGTYPE_TCP_USE_SYN) {
+    for( i=0; i<o.num_ping_synprobes; i++ ) {
+      if (i > 0 && o.scan_delay) enforce_scan_delay(NULL);
+      sendrawtcppingquery(rawsd, ethptr, target, PINGTYPE_TCP_USE_SYN, o.ping_synprobes[i], seq, time, pt);
+    }
+  }
+
+  return 0;
+}
+
+
+static int sendpingquery(int sd, int rawsd, eth_t *ethsd, Target *target,  
+		  u16 seq, unsigned short id, struct scanstats *ss, 
+		  struct timeval *time, int pingtype, struct pingtech ptech) {
+struct ppkt {
+  u8 type;
+  u8 code;
+  u16 checksum;
+  u16 id;
+  u16 seq;
+  u8 data[1500]; /* Note -- first 4-12 bytes can be used for ICMP header */
+} pingpkt;
+u32 *datastart = (u32 *) pingpkt.data;
+int datalen = sizeof(pingpkt.data); 
+int icmplen=0;
+int decoy;
+int res;
+struct sockaddr_in sock;
+struct eth_nfo eth;
+struct eth_nfo *ethptr = NULL;
+char *ping = (char *) &pingpkt;
+
+if (ethsd) {
+    memcpy(eth.srcmac, target->SrcMACAddress(), 6);
+    memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
+    eth.ethsd = ethsd;
+    eth.devname[0] = '\0';
+    ethptr = &eth;
+} else ethptr = NULL;
+
+ if (pingtype & PINGTYPE_ICMP_PING) {
+   icmplen = 8; 
+   pingpkt.type = 8;
+ }
+ else if (pingtype & PINGTYPE_ICMP_MASK) {
+   icmplen = 12;
+   *datastart++ = 0;
+   datalen -= 4;
+   pingpkt.type = 17;
+ }
+ else if (pingtype & PINGTYPE_ICMP_TS) {   
+   icmplen = 20;
+   memset(datastart, 0, 12);
+   datastart += 12;
+   datalen -= 12;
+   pingpkt.type = 13;
+ }
+ else fatal("sendpingquery: unknown pingtype: %d", pingtype);
+
+ if (o.extra_payload_length > 0) {
+   icmplen += MIN(datalen, o.extra_payload_length);
+   memset(datastart, 0, MIN(datalen, o.extra_payload_length));
+ }
+/* Fill out the ping packet */
+
+pingpkt.code = 0;
+pingpkt.id = id;
+pingpkt.seq = seq;
+pingpkt.checksum = 0;
+pingpkt.checksum = in_cksum((unsigned short *)ping, icmplen);
+if ( o.badsum )
+  pingpkt.checksum--;
+
+
+/* Now for our sock */
+if (ptech.icmpscan) {
+  memset((char *)&sock, 0, sizeof(sock));
+  sock.sin_family= AF_INET;
+  sock.sin_addr = target->v4host();
+  
+  o.decoys[o.decoyturn].s_addr = target->v4source().s_addr;
+}
+
+ for (decoy = 0; decoy < o.numdecoys; decoy++) {
+   if (ptech.icmpscan && decoy == o.decoyturn) {
+      int sock_err = 0;
+
+     /* FIXME: If EHOSTUNREACH (Windows does that) then we were
+	probably unable to obtain an arp response from the machine.
+	We should just consider the host down rather than ignoring
+	the error */
+     // Can't currently do the tracer because 'ping' has no IP header
+     //     PacketTrace::trace(PacketTrace::SENT, (u8 *) ping, icmplen); 
+     if ((res = sendto(sd,(char *) ping,icmplen,0,(struct sockaddr *)&sock,
+		       sizeof(struct sockaddr))) != icmplen && 
+                       (sock_err = socket_errno()) != EHOSTUNREACH
+#ifdef WIN32
+        // Windows (correctly) returns this if we scan an address that is
+        // known to be nonsensical (e.g. myip & mysubnetmask)
+	&& sock_err != WSAEADDRNOTAVAIL
+#endif 
+		       ) {
+       fprintf(stderr, "sendto in sendpingquery returned %d (should be 8)!\n", res);
+       fprintf(stderr, "sendto: %s\n", strerror(sock_err));
+     }
+   } else {
+     send_ip_raw( rawsd, ethptr, &o.decoys[decoy], target->v4hostip(), o.ttl, IPPROTO_ICMP, ping, icmplen);
+   }
+ }
+
+ return 0;
+}
+
+static int sendpingqueries(int sd, int rawsd, eth_t *ethsd, Target *target,  
+		  u16 seq, unsigned short id, struct scanstats *ss, 
+		    struct timeval *time, int pingtype, struct pingtech ptech) {
+  if (pingtype & PINGTYPE_ICMP_PING) {
+    if (o.scan_delay) enforce_scan_delay(NULL);
+    sendpingquery(sd, rawsd, ethsd, target, seq, id, ss, time, PINGTYPE_ICMP_PING, ptech);
+  }
+  if (pingtype & PINGTYPE_ICMP_MASK) {
+    if (o.scan_delay) enforce_scan_delay(NULL);
+    sendpingquery(sd, rawsd, ethsd, target, seq, id, ss, time, PINGTYPE_ICMP_MASK, ptech);
+
+  }
+  if (pingtype & PINGTYPE_ICMP_TS) {
+    if (o.scan_delay) enforce_scan_delay(NULL);
+    sendpingquery(sd, rawsd, ethsd, target, seq, id, ss, time, PINGTYPE_ICMP_TS, ptech);
+  }
+
+  return 0;
+}
+
+
+int get_connecttcpscan_results(struct tcpqueryinfo *tqi, 
+			       Target *hostbatch[], 
+			       struct timeval *time, struct pingtune *pt, 
+			       struct timeout_info *to) {
+
+int res, res2;
+int tm;
+struct timeval myto, start, end;
+int hostindex;
+int trynum, newstate = HOST_DOWN;
+int seq;
+int p;
+char buf[256];
+int foundsomething = 0;
+fd_set myfds_r,myfds_w,myfds_x;
+gettimeofday(&start, NULL);
+ 
+while(pt->block_unaccounted) {
+  /* OK so there is a little fudge factor, SUE ME! */
+  myto.tv_sec  = to->timeout / 1000000; 
+  myto.tv_usec = to->timeout % 1000000;
+  foundsomething = 0;
+  myfds_r = tqi->fds_r;
+  myfds_w = tqi->fds_w;
+  myfds_x = tqi->fds_x;
+  res = select(tqi->maxsd + 1, &myfds_r, &myfds_w, &myfds_x, &myto);
+  if (res > 0) {
+    for(hostindex = pt->group_start; hostindex <= pt->group_end; hostindex++) {
+      for(trynum=0; trynum <= pt->block_tries; trynum++) {
+	seq = hostindex * pt->max_tries + trynum;
+	for(p=0; p < o.num_ping_synprobes; p++) {
+	  if (tqi->sockets[p][seq] >= 0) {
+	    if (o.debugging > 1) {
+	      if (FD_ISSET(tqi->sockets[p][seq], &(myfds_r))) {
+	        log_write(LOG_STDOUT, "WRITE selected for machine %s\n", hostbatch[hostindex]->targetipstr());  
+	      }
+	      if ( FD_ISSET(tqi->sockets[p][seq], &myfds_w)) {
+	        log_write(LOG_STDOUT, "READ selected for machine %s\n", hostbatch[hostindex]->targetipstr()); 
+	      }
+	      if  ( FD_ISSET(tqi->sockets[p][seq], &myfds_x)) {
+	        log_write(LOG_STDOUT, "EXC selected for machine %s\n", hostbatch[hostindex]->targetipstr());
+	      }
+	    }
+	    if (FD_ISSET(tqi->sockets[p][seq], &myfds_r) || FD_ISSET(tqi->sockets[p][seq], &myfds_w) ||  FD_ISSET(tqi->sockets[p][seq], &myfds_x)) {
+	      foundsomething = 0;
+	      res2 = recv(tqi->sockets[p][seq], buf, sizeof(buf) - 1, 0);
+	      if (res2 == -1) {
+  	        int sock_err = socket_errno();
+	        switch(sock_err) {
+	        case ECONNREFUSED:
+	        case EAGAIN:
+#ifdef WIN32
+			case WSAENOTCONN:
+#endif
+		  if (sock_err == EAGAIN && o.verbose) {
+		    log_write(LOG_STDOUT, "Machine %s MIGHT actually be listening on probe port %d\n", hostbatch[hostindex]->targetipstr(), o.ping_synprobes[p]);
+		  }
+		  foundsomething = 1;
+		  newstate = HOST_UP;	
+		  break;
+	        case ENETDOWN:
+	        case ENETUNREACH:
+	        case ENETRESET:
+	        case ECONNABORTED:
+	        case ETIMEDOUT:
+	        case EHOSTDOWN:
+	        case EHOSTUNREACH:
+		  foundsomething = 1;
+		  newstate = HOST_DOWN;
+		  break;
+	        default:
+		  snprintf (buf, sizeof(buf), "Strange read error from %s", hostbatch[hostindex]->targetipstr());
+		  fprintf(stderr, "%s: %s\n", buf, strerror(sock_err));
+		  break;
+	        }
+	      } else { 
+	        foundsomething = 1;
+	        newstate = HOST_UP;
+	        if (o.verbose) {	      
+		    log_write(LOG_STDOUT, "Machine %s is actually LISTENING on probe port %d\n",
+			   hostbatch[hostindex]->targetipstr(), 
+			   o.ping_synprobes[p]);
+	        }
+	      }
+	      if (foundsomething) {
+	        hostupdate(hostbatch, hostbatch[hostindex], newstate, 1, trynum,
+			 to,  &time[seq], NULL, pt, tqi, pingstyle_connecttcp);
+	      /*	      break;*/
+	      }
+	    }
+	  }
+        }
+      }
+    }
+  }
+  gettimeofday(&end, NULL);
+  tm = TIMEVAL_SUBTRACT(end,start);  
+  if (tm > (30 * to->timeout)) {
+    error("WARNING: getconnecttcpscanresults is taking way too long, skipping");
+    break;
+  }
+  if (res == 0 &&  tm > to->timeout) break; 
+}
+
+/* OK, now we have to kill all outstanding queries to make room for
+   the next group :( I'll miss these little guys. */
+ for(hostindex = pt->group_start; hostindex <= pt->group_end; hostindex++) { 
+      for(trynum=0; trynum <= pt->block_tries; trynum++) {
+	seq = hostindex * pt->max_tries + trynum;
+	for(p=0; p < o.num_ping_synprobes; p++) {
+	  if ( tqi->sockets[p][seq] >= 0) {
+	    tqi->sockets_out--;
+	    close(tqi->sockets[p][seq]);
+	    tqi->sockets[p][seq] = -1;
+	  }
+	}
+      }
+ }
+ tqi->maxsd = 0;
+ assert(tqi->sockets_out == 0);
+ FD_ZERO(&(tqi->fds_r));
+ FD_ZERO(&(tqi->fds_w));
+ FD_ZERO(&(tqi->fds_x));
+	 
+return 0;
+}
 
 
 /* loads an exclude file into an exclude target list  (mdmcl) */
@@ -1695,81 +1336,6 @@ TargetGroup* load_exclude(FILE *fExclude, char *szExclude) {
   return excludelist;
 }
 
-/* Is the host passed as Target to be excluded, much of this logic had  (mdmcl)
- * to be rewritten from wam's original code to allow for the objects */
-int hostInExclude(struct sockaddr *checksock, size_t checksocklen, 
-		  TargetGroup *exclude_group) {
-  unsigned long tmpTarget; /* ip we examine */
-  int i=0;                 /* a simple index */
-  char targets_type;       /* what is the address type of the Target Group */
-  struct sockaddr_storage ss; 
-  struct sockaddr_in *sin = (struct sockaddr_in *) &ss;
-  size_t slen;             /* needed for funct but not used */
-  unsigned long mask = 0;  /* our trusty netmask, which we convert to nbo */
-  struct sockaddr_in *checkhost;
-
-  if ((TargetGroup *)0 == exclude_group)
-    return 0;
-
-  assert(checksocklen >= sizeof(struct sockaddr_in));
-  checkhost = (struct sockaddr_in *) checksock;
-  if (checkhost->sin_family != AF_INET)
-    checkhost = NULL;
-
-  /* First find out what type of addresses are in the target group */
-  targets_type = exclude_group[i].get_targets_type();
-
-  /* Lets go through the targets until we reach our uninitialized placeholder */
-  while (exclude_group[i].get_targets_type() != TargetGroup::TYPE_NONE)
-  { 
-    /* while there are still hosts in the target group */
-    while (exclude_group[i].get_next_host(&ss, &slen) == 0) {
-      tmpTarget = sin->sin_addr.s_addr; 
-
-      /* For Netmasks simply compare the network bits and move to the next
-       * group if it does not compare, we don't care about the individual addrs */
-      if (targets_type == TargetGroup::IPV4_NETMASK) {
-        mask = htonl((unsigned long) (0-1) << 32-exclude_group[i].get_mask());
-        if ((tmpTarget & mask) == (checkhost->sin_addr.s_addr & mask)) {
-	  exclude_group[i].rewind();
-	  return 1;
-        }
-	else {
-	  break;
-	}
-      } 
-      /* For ranges we need to be a little more slick, if we don't find a match
-       * we should skip the rest of the addrs in the octet, thank wam for this
-       * optimization */
-      else if (targets_type == TargetGroup::IPV4_RANGES) {
-        if (tmpTarget == checkhost->sin_addr.s_addr) {
-          exclude_group[i].rewind();
-          return 1;
-        }
-        else { /* note these are in network byte order */
-	  if ((tmpTarget & 0x000000ff) != (checkhost->sin_addr.s_addr & 0x000000ff))
-            exclude_group[i].skip_range(TargetGroup::FIRST_OCTET); 
-	  else if ((tmpTarget & 0x0000ff00) != (checkhost->sin_addr.s_addr & 0x0000ff00))
-            exclude_group[i].skip_range(TargetGroup::SECOND_OCTET); 
-	  else if ((tmpTarget & 0x00ff0000) != (checkhost->sin_addr.s_addr & 0x00ff0000))
-            exclude_group[i].skip_range(TargetGroup::THIRD_OCTET); 
-
-          continue;
-        }
-      }
-#if HAVE_IPV6
-      else if (targets_type == TargetGroup::IPV6_ADDRESS) {
-        fatal("exclude file not supported for IPV6 -- If it is important to you, send a mail to fyodor@insecure.org so I can guage support\n");
-      }
-#endif
-    }
-    exclude_group[i++].rewind();
-  }
-
-  /* we did not find the host */
-  return 0;
-}
-
 /* A debug routine to dump some information to stdout.                  (mdmcl)
  * Invoked if debugging is set to 3 or higher
  * I had to make signigicant changes from wam's code. Although wam
@@ -1819,3 +1385,438 @@ int dumpExclude(TargetGroup *exclude_group) {
   return 1;
 }
  
+static void massping(Target *hostbatch[], int num_hosts, 
+              struct scan_lists *ports, int pingtype) {
+  static struct timeout_info to = {0,0,0};
+  static double gsize = (double) LOOKAHEAD;
+  int hostnum;
+  struct pingtune pt;
+  struct scanstats ss;
+  struct timeval begin_select;
+  struct pingtech ptech;
+  struct tcpqueryinfo tqi;
+  int max_block_size = 70;
+  struct ppkt {
+    unsigned char type;
+    unsigned char code;
+    unsigned short checksum;
+    unsigned short id;
+    unsigned short seq;
+  };
+  int elapsed_time;
+  int blockinc;
+  int probes_per_host = 0; /* Number of probes done for each host (eg
+			      ping packet plus two TCP ports would be 3) */
+  int sd_blocking = 1;
+  struct sockaddr_in sock;
+  u16 seq = 0;
+  int sd = -1, rawsd = -1, rawpingsd = -1;
+  eth_t *ethsd = NULL;
+  struct timeval *time;
+  struct timeval start, end;
+  unsigned short id;
+  pcap_t *pd = NULL;
+  char filter[512];
+  unsigned short sportbase;
+  int max_sockets = 0;
+  int p;
+  int group_start, group_end, direction; /* For going forward or backward through
+					    grouplen */
+  memset((char *)&ptech, 0, sizeof(ptech));
+
+  memset((char *) &pt, 0, sizeof(pt)); 
+
+  pt.up_this_block = 0;
+  pt.block_unaccounted = LOOKAHEAD;
+  pt.down_this_block = 0;
+  pt.num_responses = 0;
+  pt.max_tries = 5; /* Maximum number of tries for a block */
+  pt.group_start = 0;
+  pt.block_tries = 0; /* How many tries this block has gone through */
+  pt.seq_offset = get_random_u16(); // For distinguishing between received packets from this execution vs. concurrent nmaps
+
+  /* What port should we send from? */
+  if (o.magic_port_set) sportbase = o.magic_port;
+  else sportbase = o.magic_port + 20;
+
+  /* What kind of scans are we doing? */
+  if ((pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS)) && 
+      hostbatch[0]->v4source().s_addr) 
+    ptech.rawicmpscan = 1;
+  else if (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS)) 
+    ptech.icmpscan = 1;
+  if (pingtype & PINGTYPE_UDP) 
+    ptech.rawudpscan = 1;
+  if (pingtype & PINGTYPE_TCP) {
+    if (o.isr00t && o.af() == AF_INET)
+      ptech.rawtcpscan = 1;
+    else ptech.connecttcpscan = 1;
+  }
+
+  probes_per_host = 0;
+  if (pingtype & PINGTYPE_ICMP_PING) probes_per_host++;
+  if (pingtype & PINGTYPE_ICMP_MASK) probes_per_host++;
+  if (pingtype & PINGTYPE_ICMP_TS) probes_per_host++;
+  probes_per_host += o.num_ping_synprobes + o.num_ping_ackprobes + o.num_ping_udpprobes;
+
+  pt.min_group_size = MAX(3, MAX(o.min_parallelism, 16) / probes_per_host);
+
+  /* I think max_parallelism mostly relates to # of probes in parallel against
+     a single machine.  So I only use it to go down to 15 here */
+  pt.group_size = (o.max_parallelism)? MIN(MAX(o.max_parallelism,15), gsize) : gsize;
+  /* Make sure we have at least the minimum parallelism level */
+  pt.group_size = MAX(pt.group_size, o.min_parallelism);
+  /* Reduce the group size proportionally to number of probes sent per host */
+  pt.group_size = MAX(pt.min_group_size, 0.9999 + pt.group_size / probes_per_host);
+  max_block_size /= probes_per_host;
+
+  /* TODO: I need to move ping scanning to ultra_scan or fix this
+     function to handle scan_delay the way ultra scan does (limit the
+     amount of time between probes sent to the SAME machine.  This func
+     does the opposite -- sends same-box probes immediately and waits to
+     go on to the next machine. */
+  if (o.scan_delay > 1000) {
+    pt.group_size = max_block_size = 1;
+  }
+
+  time = (struct timeval *) safe_zalloc(sizeof(struct timeval) * ((pt.max_tries) * num_hosts));
+  id = (unsigned short) get_random_uint();
+
+  if (ptech.connecttcpscan)  {
+    /* I think max_parallelism mostly relates to # of probes in parallel against
+       a given machine.  So I won't go below 15 here because of it */
+    max_sockets = MAX(1, max_sd() - 4);
+    if (o.max_parallelism) {
+      max_block_size = MIN(50, MAX(o.max_parallelism, 15) / probes_per_host);
+    } else {
+      max_block_size = MIN(50, max_sockets / probes_per_host);
+    }
+    max_block_size = MAX(1, max_block_size);
+    if (o.scan_delay > 1000)
+      max_block_size = 1;
+    pt.group_size = MIN(pt.group_size, max_block_size);
+    memset((char *)&tqi, 0, sizeof(tqi));
+
+    for(p=0; p < o.num_ping_synprobes; p++) {
+      tqi.sockets[p] = (int *) safe_malloc(sizeof(int) * (pt.max_tries) * num_hosts);
+      memset(tqi.sockets[p], 255, sizeof(int) * (pt.max_tries) * num_hosts);
+    }
+    FD_ZERO(&(tqi.fds_r));
+    FD_ZERO(&(tqi.fds_w));
+    FD_ZERO(&(tqi.fds_x));
+    tqi.sockets_out = 0;
+    tqi.maxsd = 0;
+  }
+
+  if (ptech.icmpscan) {
+    sd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+    if (sd < 0) pfatal("Socket trouble in massping"); 
+    unblock_socket(sd);
+#ifndef WIN32
+    sethdrinclude(sd);
+#endif
+    sd_blocking = 0;
+    if (num_hosts > 10)
+      max_rcvbuf(sd);
+    broadcast_socket(sd);
+  } else sd = -1;
+
+
+  /* if to timeout structure hasn't been initialized yet */
+  if (!to.srtt && !to.rttvar && !to.timeout) {
+    /*  to.srtt = 800000;
+	to.rttvar = 500000; */ /* we will init these when we get real data */
+    initialize_timeout_info(&to);
+  }
+
+  /* Init our raw socket */
+  if (o.numdecoys > 1 || ptech.rawtcpscan || ptech.rawicmpscan || ptech.rawudpscan) {
+    if ((o.sendpref & PACKET_SEND_ETH) && hostbatch[0]->ifType() == devt_ethernet) {
+      /* We'll send ethernet packets with dnet */
+      ethsd = eth_open(hostbatch[0]->deviceName());
+      if (ethsd == NULL)
+	fatal("dnet: Failed to open device %s", hostbatch[0]->deviceName());
+      rawsd = -1; rawpingsd = -1;
+    } else {
+      if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
+	pfatal("socket trobles in massping");
+      broadcast_socket(rawsd);
+#ifndef WIN32
+      sethdrinclude(rawsd);
+#endif
+
+      if ((rawpingsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
+	pfatal("socket trobles in massping");
+      broadcast_socket(rawpingsd);
+#ifndef WIN32
+      sethdrinclude(rawpingsd);
+#endif
+    }
+  } else { rawsd = -1; rawpingsd = -1; }
+
+  if (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan) {
+    /* we need a pcap descript0r! */
+    /* MAX snaplen needed = 
+       24 bytes max link_layer header
+       64 bytes max IPhdr
+       16 bytes of the TCP header
+       ---
+       = 104 byte snaplen */
+    pd = my_pcap_open_live(hostbatch[0]->deviceName(), 104, o.spoofsource, 20);
+
+    snprintf(filter, sizeof(filter), "(icmp and dst host %s) or ((tcp or udp) and dst host %s and ( dst port %d or dst port %d or dst port %d or dst port %d or dst port %d))", 
+	     inet_ntoa(hostbatch[0]->v4source()),
+	     inet_ntoa(hostbatch[0]->v4source()),
+	     sportbase , sportbase + 1, sportbase + 2, sportbase + 3, 
+	     sportbase + 4);
+
+    set_pcap_filter(hostbatch[0]->deviceName(), pd, filter); 
+  }
+
+  blockinc = (int) (0.9999 + 8.0 / probes_per_host);
+
+  memset((char *)&sock,0,sizeof(sock));
+  gettimeofday(&start, NULL);
+
+  pt.group_end = (int) MIN(pt.group_start + pt.group_size -1, num_hosts -1);
+ 
+  while(pt.group_start < num_hosts) { /* while we have hosts left to scan */
+    do { /* one block */
+      pt.up_this_block = 0;
+      pt.down_this_block = 0;
+      pt.block_unaccounted = 0;
+
+      /* Sometimes a group gets too big for the network path and a
+	 router (especially things like cable/DSL modems) will drop our
+	 packets after a certain number have been sent.  If we just
+	 retry the exact same group, we are likely to get exactly the
+	 same behavior (missing later hosts).  So we reverse the order
+	 for each try */
+      direction = (pt.block_tries % 2 == 0)? 1 : -1;
+      if (direction == 1) { group_start = pt.group_start; group_end = pt.group_end; }
+      else { group_start = pt.group_end; group_end = pt.group_start; }
+      for(hostnum = group_start; hostnum != group_end + direction; hostnum += direction) {      
+	/* If (we don't know whether the host is up yet) ... */
+	if (!(hostbatch[hostnum]->flags & HOST_UP) && !hostbatch[hostnum]->wierd_responses && !(hostbatch[hostnum]->flags & HOST_DOWN)) {  
+	  /* Send a ping queries to it */
+	  seq = hostnum * pt.max_tries + pt.block_tries + pt.seq_offset;
+	  if (ptech.icmpscan && !sd_blocking) { 
+	    block_socket(sd); sd_blocking = 1; 
+	  }
+	  pt.block_unaccounted++;
+	  gettimeofday(&time[(seq - pt.seq_offset) & 0xFFFF], NULL);
+
+	  if (ptech.icmpscan || ptech.rawicmpscan)
+	    sendpingqueries(sd, rawpingsd, ethsd, hostbatch[hostnum],  
+			    seq, id, &ss, time, pingtype, ptech);
+       
+	  if (ptech.rawtcpscan || ptech.rawudpscan) 
+	    sendrawtcpudppingqueries(rawsd, ethsd, hostbatch[hostnum], pingtype, seq, time, &pt);
+
+	  else if (ptech.connecttcpscan) {
+	    sendconnecttcpqueries(hostbatch, &tqi, hostbatch[hostnum], seq, time, &pt, &to, max_sockets);
+	  }
+	}
+      } /* for() loop */
+      /* OK, we have sent our ping packets ... now we wait for responses */
+      gettimeofday(&begin_select, NULL);
+      do {
+	if (ptech.icmpscan && sd_blocking ) { 
+	  unblock_socket(sd); sd_blocking = 0; 
+	}
+	if(ptech.icmpscan || ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan) {       
+	  get_ping_results(sd, pd, hostbatch, pingtype, time, &pt, &to, id, 
+			   &ptech, ports);
+	}
+	if (ptech.connecttcpscan) {
+	  get_connecttcpscan_results(&tqi, hostbatch, time, &pt, &to);
+	}
+	gettimeofday(&end, NULL);
+	elapsed_time = TIMEVAL_SUBTRACT(end, begin_select);
+      } while( elapsed_time < to.timeout);
+      /* try again if a new box was found but some are still unaccounted for and
+	 we haven't run out of retries.  Always retry at least once.
+      */
+      pt.dropthistry = 0;
+      pt.block_tries++;
+    } while ((pt.up_this_block > 0 || pt.block_tries == 1) && pt.block_unaccounted > 0 && pt.block_tries < pt.max_tries);
+
+    if (o.debugging)
+      log_write(LOG_STDOUT, "Finished block: srtt: %d rttvar: %d timeout: %d block_tries: %d up_this_block: %d down_this_block: %d group_sz: %d\n", to.srtt, to.rttvar, to.timeout, pt.block_tries, pt.up_this_block, pt.down_this_block, pt.group_end - pt.group_start + 1);
+
+    if (pt.block_tries == 2 && pt.up_this_block == 0 && pt.down_this_block == 0)
+      /* Then it did not miss any hosts (that we know of)*/
+      pt.group_size = MIN(pt.group_size + blockinc, max_block_size);
+   
+    /* Move to next block */
+    pt.block_tries = 0;
+    pt.group_start = pt.group_end +1;
+    pt.group_end = (int) MIN(pt.group_start + pt.group_size -1, num_hosts -1);
+    /*   pt.block_unaccounted = pt.group_end - pt.group_start + 1;   */
+  }
+
+  if (sd >= 0) close(sd);
+  if (ptech.connecttcpscan)
+    for(p=0; p < o.num_ping_synprobes; p++)
+      free(tqi.sockets[p]);
+  if (sd >= 0) close(sd);
+  if (rawsd >= 0) close(rawsd);
+  if (rawpingsd >= 0) close(rawpingsd);
+  if (ethsd) eth_close(ethsd);
+  free(time);
+  if (pd) pcap_close(pd);
+  if (o.debugging) 
+    log_write(LOG_STDOUT, "massping done:  num_hosts: %d  num_responses: %d\n", num_hosts, pt.num_responses);
+  gsize = pt.group_size;
+  return;
+}
+
+Target *nexthost(HostGroupState *hs, TargetGroup *exclude_group,
+			    struct scan_lists *ports, int *pingtype) {
+int hidx = 0;
+int i;
+struct sockaddr_storage ss;
+size_t sslen;
+struct intf_entry *ifentry;
+ u32 ifbuf[200] ;
+ struct route_nfo rnfo;
+ bool arpping_done = false;
+ struct timeval now;
+
+ ifentry = (struct intf_entry *) ifbuf; 
+ ifentry->intf_len = sizeof(ifbuf); // TODO: May want to use a larger buffer if interface aliases prove important.
+if (hs->next_batch_no < hs->current_batch_sz) {
+  /* Woop!  This is easy -- we just pass back the next host struct */
+  return hs->hostbatch[hs->next_batch_no++];
+}
+/* Doh, we need to refresh our array */
+/* for(i=0; i < hs->max_batch_sz; i++) hs->hostbatch[i] = new Target(); */
+
+hs->current_batch_sz = hs->next_batch_no = 0;
+do {
+  /* Grab anything we have in our current_expression */
+  while (hs->current_batch_sz < hs->max_batch_sz && 
+	 hs->current_expression.get_next_host(&ss, &sslen) == 0)
+    {
+      if (hostInExclude((struct sockaddr *)&ss, sslen, exclude_group)) {
+	continue; /* Skip any hosts the user asked to exclude */
+      }
+      hidx = hs->current_batch_sz;
+      hs->hostbatch[hidx] = new Target();
+      hs->hostbatch[hidx]->setTargetSockAddr(&ss, sslen);
+
+      /* We figure out the source IP/device IFF
+	 1) We are r00t AND
+	 2) We are doing tcp or udp pingscan OR
+	 3) We are doing a raw-mode portscan or osscan OR
+	 4) We are on windows and doing ICMP ping */
+      if (o.isr00t && o.af() == AF_INET && 
+	  ((*pingtype & (PINGTYPE_TCP|PINGTYPE_UDP|PINGTYPE_ARP)) || o.RawScan()
+#ifdef WIN32
+	   || (*pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS))
+#endif // WIN32
+	   )) {
+	hs->hostbatch[hidx]->TargetSockAddr(&ss, &sslen);
+	if (!route_dst(&ss, &rnfo)) {
+	  fatal("%s: failed to determine route to %s", __FUNCTION__, hs->hostbatch[hidx]->NameIP());
+	}
+	if (rnfo.direct_connect) {
+	  hs->hostbatch[hidx]->setDirectlyConnected(true);
+	} else {
+	  hs->hostbatch[hidx]->setDirectlyConnected(false);
+	  hs->hostbatch[hidx]->setNextHop(&rnfo.nexthop, 
+					  sizeof(rnfo.nexthop));
+	}
+	hs->hostbatch[hidx]->setIfType(rnfo.ii.device_type);
+	if (rnfo.ii.device_type == devt_ethernet) {
+	  if (o.spoofMACAddress())
+	    hs->hostbatch[hidx]->setSrcMACAddress(o.spoofMACAddress());
+	  else hs->hostbatch[hidx]->setSrcMACAddress(rnfo.ii.mac);
+	}
+	hs->hostbatch[hidx]->setSourceSockAddr(&rnfo.srcaddr, sizeof(rnfo.srcaddr));
+	if (hidx == 0) /* Because later ones can have different src addy and be cut off group */
+	  o.decoys[o.decoyturn] = hs->hostbatch[hidx]->v4source();
+	hs->hostbatch[hidx]->setDeviceNames(rnfo.ii.devname, rnfo.ii.devfullname);
+	//	  printf("Target %s %s directly connected, goes through local iface %s, which %s ethernet\n", hs->hostbatch[hidx]->NameIP(), hs->hostbatch[hidx]->directlyConnected()? "IS" : "IS NOT", hs->hostbatch[hidx]->deviceName(), (hs->hostbatch[hidx]->ifType() == devt_ethernet)? "IS" : "IS NOT");
+      }
+      
+
+      /* In some cases, we can only allow hosts that use the same
+	 device in a group.  Similarly, we don't mix
+	 directly-connected boxes with those that aren't */
+      if (o.af() == AF_INET && o.isr00t && hidx > 0 && 
+	  hs->hostbatch[hidx]->deviceName() && 
+	  (hs->hostbatch[hidx]->v4source().s_addr != hs->hostbatch[0]->v4source().s_addr || 
+	   strcmp(hs->hostbatch[0]->deviceName(), 
+		  hs->hostbatch[hidx]->deviceName()) != 0 
+	  || hs->hostbatch[hidx]->directlyConnected() != hs->hostbatch[0]->directlyConnected())) {
+	/* Cancel everything!  This guy must go in the next group and we are
+	   out of here */
+	hs->current_expression.return_last_host();
+	delete hs->hostbatch[hidx];
+	goto batchfull;
+      }
+      hs->current_batch_sz++;
+}
+
+  if (hs->current_batch_sz < hs->max_batch_sz &&
+      hs->next_expression < hs->num_expressions) {
+    /* We are going to have to pop in another expression. */
+    while(hs->current_expression.parse_expr(hs->target_expressions[hs->next_expression++], o.af()) != 0) 
+      if (hs->next_expression >= hs->num_expressions)
+	break;
+  } else break;
+} while(1);
+
+ batchfull:
+ 
+if (hs->current_batch_sz == 0)
+  return NULL;
+
+/* OK, now we have our complete batch of entries.  The next step is to
+   randomize them (if requested) */
+if (hs->randomize) {
+  hoststructfry(hs->hostbatch, hs->current_batch_sz);
+}
+
+/* First I'll do the ARP ping if all of the machines in the group are
+   directly connected over ethernet.  I may need the MAC addresses
+   later anyway. */
+ if (hs->hostbatch[0]->ifType() == devt_ethernet && 
+     hs->hostbatch[0]->directlyConnected() && 
+     o.sendpref != PACKET_SEND_IP_STRONG) {
+   arpping(hs->hostbatch, hs->current_batch_sz, ports);
+   arpping_done = true;
+ }
+ 
+ gettimeofday(&now, NULL);
+ if ((o.sendpref & PACKET_SEND_ETH) && 
+     hs->hostbatch[0]->ifType() == devt_ethernet) {
+   for(i=0; i < hs->current_batch_sz; i++)
+     if (!(hs->hostbatch[i]->flags & HOST_DOWN) && 
+	 !hs->hostbatch[i]->timedOut(&now))
+       if (!setTargetNextHopMAC(hs->hostbatch[i]))
+	 fatal("%s: Failed to determine dst MAC address for target %s", 
+	       __FUNCTION__, hs->hostbatch[hidx]->NameIP());
+ }
+
+ /* TODO: Maybe I should allow real ping scan of directly connected
+    ethernet hosts? */
+ /* Then we do the mass ping (if required - IP-level pings) */
+ if ((*pingtype == PINGTYPE_NONE && !arpping_done) || hs->hostbatch[0]->ifType() == devt_loopback) {
+   for(i=0; i < hs->current_batch_sz; i++)  {
+     if (!hs->hostbatch[i]->timedOut(&now)) {
+       initialize_timeout_info(&hs->hostbatch[i]->to);
+       hs->hostbatch[i]->flags |= HOST_UP; /*hostbatch[i].up = 1;*/
+     }
+   }
+ } else if (!arpping_done)
+   if (*pingtype & PINGTYPE_ARP) /* A host that we can't arp scan ... maybe localhost */
+     massping(hs->hostbatch, hs->current_batch_sz, ports, DEFAULT_PING_TYPES);
+   else
+     massping(hs->hostbatch, hs->current_batch_sz, ports, *pingtype);
+ 
+ if (!o.noresolve) nmap_mass_rdns(hs->hostbatch, hs->current_batch_sz);
+ 
+ return hs->hostbatch[hs->next_batch_no++];
+}
diff --git a/targets.h b/targets.h
index 7f554f836..9325aad98 100644
--- a/targets.h
+++ b/targets.h
@@ -163,45 +163,12 @@ struct pingtech {
 };
 
 
-int get_ping_results(int sd, pcap_t *pd, Target *hostbatch[], 
-		     int pingtype, struct timeval *time,  struct pingtune *pt,
-		     struct timeout_info *to, int id, struct pingtech *ptech, 
-		     struct scan_lists *ports);
-int sendpingqueries(int sd, int rawsd, eth_t *ethsd, Target *target,  
-		  u16 seq, unsigned short id, struct scanstats *ss, 
-		  struct timeval *time, int pingtype, struct pingtech ptech);
-int sendpingquery(int sd, int rawsd, eth_t *ethsd, Target *target,  
-		  u16 seq, unsigned short id, struct scanstats *ss, 
-		  struct timeval *time, int pingtype, struct pingtech ptech);
-int sendrawtcpudppingqueries(int rawsd, eth_t *ethsd, Target *target, int pingtype,
-			  u16 seq, struct timeval *time, struct pingtune *pt);
-int sendrawtcppingquery(int rawsd, struct eth_nfo *eth, Target *target, int pingtype, u16 probe_port,
-			u16 seq, struct timeval *time, struct pingtune *pt);
-int sendrawudppingquery(int rawsd, struct eth_nfo *eth, Target *target, u16 probe_port,
-			u16 seq, struct timeval *time, struct pingtune *pt);
-int sendconnecttcpqueries(Target *hostbatch[], struct tcpqueryinfo *tqi, Target *target,
-			  u16 seq, struct timeval *time, struct pingtune *pt, struct timeout_info *to, int max_sockets);
-int sendconnecttcpquery(Target *hostbatch[], struct tcpqueryinfo *tqi, Target *target, int probe_port_num,
-			u16 seq, struct timeval *time, struct pingtune *pt, struct timeout_info *to, int max_sockets);
-int get_connecttcpscan_results(struct tcpqueryinfo *tqi, 
-			       Target *hostbatch[], 
-			       struct timeval *time, struct pingtune *pt, 
-			       struct timeout_info *to);
-char *readhoststate(int state);
-void massping(Target *hostbatch[], int numhosts, 
-		struct scan_lists *ports, int pingtype);
-void hoststructfry(Target *hostbatch[], int nelem);
 /* Ports is the list of ports the user asked to be scanned (0 terminated),
    you can just pass NULL (it is only a stupid optimization that needs it) */
 Target *nexthost(HostGroupState *hs, TargetGroup *exclude_group, 
 		 struct scan_lists *ports, int *pingtype);
 /* loads an exclude file into a excluded target list */
 TargetGroup* load_exclude(FILE *fExclude, char *szExclude);
-/* is the host we're passed in one that
- * should be excluded?
- */
-int hostInExclude(struct sockaddr *checksock, size_t checksocklen, 
-		  TargetGroup *exclude_group);
 /* a debugging routine to dump an exclude list to stdout. */
 int dumpExclude(TargetGroup*exclude_group);
 /* Returns the last host obtained by nexthost.  It will be given again the next
diff --git a/tcpip.cc b/tcpip.cc
index 87c4465e8..2eb7228d2 100644
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -256,156 +256,13 @@ void PacketTrace::traceArp(pdirection pdir, const u8 *frame, u32 len,
   return;
 }
 
-  /* Takes an IP PACKET and prints it if packet tracing is enabled.
-     'packet' must point to the IPv4 header. The direction must be
-     PacketTrace::SENT or PacketTrace::RCVD .  Optional 'now' argument
-     makes this function slightly more efficient by avoiding a gettimeofday()
-     call. */
-void PacketTrace::trace(pdirection pdir, const u8 *packet, u32 len,
-			struct timeval *now) {
-  struct timeval tv;
-
-  if (pdir == SENT) {
-    PktCt.sendPackets++;
-    PktCt.sendBytes += len;
-  } else {
-    PktCt.recvPackets++;
-    PktCt.recvBytes += len;
-  }
-
-  if (!o.packetTrace()) return;
-
-  if (now)
-    tv = *now;
-  else gettimeofday(&tv, NULL);
-
-  if (len < 20) {
-    error("Packet tracer: tiny packet encountered");
-    return;
-  }
-
-  log_write(LOG_STDOUT|LOG_NORMAL, "%s (%.4fs) %s\n", (pdir == SENT)? "SENT" : "RCVD",  o.TimeSinceStartMS(&tv) / 1000.0, ippackethdrinfo(packet, len));
-
-  return;
-}
-
-/* Adds a trace entry when a connect() is attempted if packet tracing
-   is enabled.  Pass IPPROTO_TCP or IPPROTO_UDP as the protocol.  The
-   sock may be a sockaddr_in or sockaddr_in6.  The return code of
-   connect is passed in connectrc.  If the return code is -1, get the
-   errno and pass that as connect_errno. */
-void PacketTrace::traceConnect(u8 proto, const struct sockaddr *sock, 
-			       int socklen, int connectrc, int connect_errno,
-			       const struct timeval *now) {
-  struct sockaddr_in *sin = (struct sockaddr_in *) sock;
-#if HAVE_IPV6
-  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) sock;
-#endif
-  struct timeval tv;
-  char errbuf[64] = "";
-  char targetipstr[INET6_ADDRSTRLEN] = "";
-  u16 targetport = 0;
-
-  if (!o.packetTrace()) return;
-  
-  if (now)
-    tv = *now;
-  else gettimeofday(&tv, NULL);
-
-  assert(proto == IPPROTO_TCP || proto == IPPROTO_UDP);
-
-  if (connectrc == 0)
-    Strncpy(errbuf, "Connected", sizeof(errbuf));
-  else {
-    snprintf(errbuf, sizeof(errbuf), "%s", strerror(connect_errno));
-  }
-
-  if (sin->sin_family == AF_INET) {
-    if (inet_ntop(sin->sin_family, (char *) &sin->sin_addr, targetipstr, 
-		  sizeof(targetipstr)) == NULL)
-      fatal("Failed to convert target IPv4 address to presentation format!?!");
-    targetport = ntohs(sin->sin_port);
-  } else {
-#if HAVE_IPV6
-    assert(sin->sin_family == AF_INET6);
-    if (inet_ntop(sin->sin_family, (char *) &sin6->sin6_addr, targetipstr, 
-		  sizeof(targetipstr)) == NULL)
-      fatal("Failed to convert target IPv4 address to presentation format!?!");
-    targetport = ntohs(sin6->sin6_port);
-#else
-    assert(0);
-#endif
-  }
-
-  log_write(LOG_STDOUT|LOG_NORMAL, "CONN (%.4fs) %s localhost > %s:%d => %s\n",
-	    o.TimeSinceStartMS(&tv) / 1000.0, 
-	    (proto == IPPROTO_TCP)? "TCP" : "UDP", targetipstr, targetport, 
-	    errbuf);
-}
-
-
-
-
-
-
-/* Converts an IP address given in a sockaddr_storage to an IPv4 or
-   IPv6 IP address string.  Since a static buffer is returned, this is
-   not thread-safe and can only be used once in calls like printf() 
-*/
-const char *inet_socktop(struct sockaddr_storage *ss) {
-  static char buf[INET6_ADDRSTRLEN];
-  struct sockaddr_in *sin = (struct sockaddr_in *) ss;
-#if HAVE_IPV6
-  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) ss;
-#endif
-
-  if (inet_ntop(sin->sin_family, (sin->sin_family == AF_INET)? 
-                (char *) &sin->sin_addr : 
-#if HAVE_IPV6
-				(char *) &sin6->sin6_addr, 
-#else
-                (char *) NULL,
-#endif /* HAVE_IPV6 */
-                buf, sizeof(buf)) == NULL) {
-    fatal("Failed to convert target address to presentation format in inet_socktop!?!  Error: %s", strerror(socket_errno()));
-  }
-  return buf;
-}
-
-/* Tries to resolve the given name (or literal IP) into a sockaddr
-   structure.  The af should be PF_INET (for IPv4) or PF_INET6.  Returns 0
-   if hostname cannot be resolved.  It is OK to pass in a sockaddr_in or 
-   sockaddr_in6 casted to a sockaddr_storage as long as you use the matching 
-   pf.*/
-int resolve(char *hostname, struct sockaddr_storage *ss, size_t *sslen,
-	    int pf) {
-
-  struct addrinfo hints;
-  struct addrinfo *result;
-  int rc;
-
-  assert(ss);
-  assert(sslen);
-  memset(&hints, 0, sizeof(hints));
-  hints.ai_family = pf;
-  rc = getaddrinfo(hostname, NULL, &hints, &result);
-  if (rc != 0)
-    return 0;
-  assert(result->ai_addrlen > 0 && result->ai_addrlen <= (int) sizeof(struct sockaddr_storage));
-  *sslen = result->ai_addrlen;
-  memcpy(ss, result->ai_addr, *sslen);
-  freeaddrinfo(result);
-  return 1;
-}
-
-
 /* Returns a buffer of ASCII information about a packet that may look
    like "TCP 127.0.0.1:50923 > 127.0.0.1:3 S ttl=61 id=39516 iplen=40
    seq=625950769" or "ICMP PING (0/1) ttl=61 id=39516 iplen=40".
    Since this is a static buffer, don't use threads or call twice
    within (say) printf().  And certainly don't try to free() it!  The
    returned buffer is NUL-terminated */
-const char *ippackethdrinfo(const u8 *packet, u32 len) {
+static const char *ippackethdrinfo(const u8 *packet, u32 len) {
   static char protoinfo[256];
   struct ip *ip = (struct ip *) packet;
   struct tcphdr *tcp;
@@ -619,6 +476,148 @@ const char *ippackethdrinfo(const u8 *packet, u32 len) {
   return protoinfo;
 }
 
+  /* Takes an IP PACKET and prints it if packet tracing is enabled.
+     'packet' must point to the IPv4 header. The direction must be
+     PacketTrace::SENT or PacketTrace::RCVD .  Optional 'now' argument
+     makes this function slightly more efficient by avoiding a gettimeofday()
+     call. */
+void PacketTrace::trace(pdirection pdir, const u8 *packet, u32 len,
+			struct timeval *now) {
+  struct timeval tv;
+
+  if (pdir == SENT) {
+    PktCt.sendPackets++;
+    PktCt.sendBytes += len;
+  } else {
+    PktCt.recvPackets++;
+    PktCt.recvBytes += len;
+  }
+
+  if (!o.packetTrace()) return;
+
+  if (now)
+    tv = *now;
+  else gettimeofday(&tv, NULL);
+
+  if (len < 20) {
+    error("Packet tracer: tiny packet encountered");
+    return;
+  }
+
+  log_write(LOG_STDOUT|LOG_NORMAL, "%s (%.4fs) %s\n", (pdir == SENT)? "SENT" : "RCVD",  o.TimeSinceStartMS(&tv) / 1000.0, ippackethdrinfo(packet, len));
+
+  return;
+}
+
+/* Adds a trace entry when a connect() is attempted if packet tracing
+   is enabled.  Pass IPPROTO_TCP or IPPROTO_UDP as the protocol.  The
+   sock may be a sockaddr_in or sockaddr_in6.  The return code of
+   connect is passed in connectrc.  If the return code is -1, get the
+   errno and pass that as connect_errno. */
+void PacketTrace::traceConnect(u8 proto, const struct sockaddr *sock, 
+			       int socklen, int connectrc, int connect_errno,
+			       const struct timeval *now) {
+  struct sockaddr_in *sin = (struct sockaddr_in *) sock;
+#if HAVE_IPV6
+  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) sock;
+#endif
+  struct timeval tv;
+  char errbuf[64] = "";
+  char targetipstr[INET6_ADDRSTRLEN] = "";
+  u16 targetport = 0;
+
+  if (!o.packetTrace()) return;
+  
+  if (now)
+    tv = *now;
+  else gettimeofday(&tv, NULL);
+
+  assert(proto == IPPROTO_TCP || proto == IPPROTO_UDP);
+
+  if (connectrc == 0)
+    Strncpy(errbuf, "Connected", sizeof(errbuf));
+  else {
+    snprintf(errbuf, sizeof(errbuf), "%s", strerror(connect_errno));
+  }
+
+  if (sin->sin_family == AF_INET) {
+    if (inet_ntop(sin->sin_family, (char *) &sin->sin_addr, targetipstr, 
+		  sizeof(targetipstr)) == NULL)
+      fatal("Failed to convert target IPv4 address to presentation format!?!");
+    targetport = ntohs(sin->sin_port);
+  } else {
+#if HAVE_IPV6
+    assert(sin->sin_family == AF_INET6);
+    if (inet_ntop(sin->sin_family, (char *) &sin6->sin6_addr, targetipstr, 
+		  sizeof(targetipstr)) == NULL)
+      fatal("Failed to convert target IPv4 address to presentation format!?!");
+    targetport = ntohs(sin6->sin6_port);
+#else
+    assert(0);
+#endif
+  }
+
+  log_write(LOG_STDOUT|LOG_NORMAL, "CONN (%.4fs) %s localhost > %s:%d => %s\n",
+	    o.TimeSinceStartMS(&tv) / 1000.0, 
+	    (proto == IPPROTO_TCP)? "TCP" : "UDP", targetipstr, targetport, 
+	    errbuf);
+}
+
+
+
+
+
+
+/* Converts an IP address given in a sockaddr_storage to an IPv4 or
+   IPv6 IP address string.  Since a static buffer is returned, this is
+   not thread-safe and can only be used once in calls like printf() 
+*/
+const char *inet_socktop(struct sockaddr_storage *ss) {
+  static char buf[INET6_ADDRSTRLEN];
+  struct sockaddr_in *sin = (struct sockaddr_in *) ss;
+#if HAVE_IPV6
+  struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) ss;
+#endif
+
+  if (inet_ntop(sin->sin_family, (sin->sin_family == AF_INET)? 
+                (char *) &sin->sin_addr : 
+#if HAVE_IPV6
+				(char *) &sin6->sin6_addr, 
+#else
+                (char *) NULL,
+#endif /* HAVE_IPV6 */
+                buf, sizeof(buf)) == NULL) {
+    fatal("Failed to convert target address to presentation format in inet_socktop!?!  Error: %s", strerror(socket_errno()));
+  }
+  return buf;
+}
+
+/* Tries to resolve the given name (or literal IP) into a sockaddr
+   structure.  The af should be PF_INET (for IPv4) or PF_INET6.  Returns 0
+   if hostname cannot be resolved.  It is OK to pass in a sockaddr_in or 
+   sockaddr_in6 casted to a sockaddr_storage as long as you use the matching 
+   pf.*/
+int resolve(char *hostname, struct sockaddr_storage *ss, size_t *sslen,
+	    int pf) {
+
+  struct addrinfo hints;
+  struct addrinfo *result;
+  int rc;
+
+  assert(ss);
+  assert(sslen);
+  memset(&hints, 0, sizeof(hints));
+  hints.ai_family = pf;
+  rc = getaddrinfo(hostname, NULL, &hints, &result);
+  if (rc != 0)
+    return 0;
+  assert(result->ai_addrlen > 0 && result->ai_addrlen <= (int) sizeof(struct sockaddr_storage));
+  *sslen = result->ai_addrlen;
+  memcpy(ss, result->ai_addr, *sslen);
+  freeaddrinfo(result);
+  return 1;
+}
+
 
 int islocalhost(const struct in_addr * const addr) {
 char dev[128];
@@ -937,6 +936,87 @@ int send_tcp_raw( int sd, struct eth_nfo *eth, const struct in_addr *source,
   return res;
 }
 
+/* Create and send all fragments of a pre-built IPv4 packet
+ * Minimal MTU for IPv4 is 68 and maximal IPv4 header size is 60
+ * which gives us a right to cut TCP header after 8th byte
+ * (shouldn't we inflate the header to 60 bytes too?) */
+int send_frag_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, 
+			unsigned int packetlen, unsigned int mtu)
+{
+  struct ip *ip = (struct ip *) packet;
+  int headerlen = ip->ip_hl * 4; // better than sizeof(struct ip)
+  unsigned int datalen = packetlen - headerlen;
+  int fdatalen = 0, res = 0;
+
+  assert(headerlen <= (int) packetlen);
+  assert(headerlen >= 20 && headerlen <= 60); // sanity check (RFC791)
+  assert(mtu > 0 && mtu % 8 == 0); // otherwise, we couldn't set Fragment offset (ip->ip_off) correctly
+
+  if (datalen <= mtu) {
+    error("Warning: fragmentation (mtu=%i) requested but the payload is too small already (%i)", mtu, datalen);
+    return send_ip_packet(sd, eth, packet, packetlen);
+  }
+
+  u8 *fpacket = (u8 *) safe_malloc(headerlen + mtu);
+  memcpy(fpacket, packet, headerlen + mtu);
+  ip = (struct ip *) fpacket;
+
+  // create fragments and send them
+  for (int fragment = 1; fragment * mtu < datalen + mtu; fragment++) {
+    fdatalen = (fragment * mtu <= datalen ? mtu : datalen % mtu);
+    ip->ip_len = htons(headerlen + fdatalen);
+    ip->ip_off = htons((fragment-1) * mtu / 8);
+    if ((fragment-1) * mtu + fdatalen < datalen)
+      ip->ip_off |= htons(IP_MF);
+#if HAVE_IP_IP_SUM
+    ip->ip_sum = in_cksum((unsigned short *)ip, headerlen);
+#endif
+    if (fragment > 1) // copy data payload
+      memcpy(fpacket + headerlen, packet + headerlen + (fragment - 1) * mtu, fdatalen);
+    res = send_ip_packet(sd, eth, fpacket, headerlen + fdatalen);
+    if (res == -1)
+      break;
+  }
+  free(fpacket);
+  return res;
+}
+
+static int Sendto(char *functionname, int sd, const unsigned char *packet, 
+		  int len, unsigned int flags, struct sockaddr *to, int tolen) {
+
+struct sockaddr_in *sin = (struct sockaddr_in *) to;
+int res;
+int retries = 0;
+int sleeptime = 0;
+
+do {
+  if ((res = sendto(sd, (const char *) packet, len, flags, to, tolen)) == -1) {
+    int err = socket_errno();
+
+    error("sendto in %s: sendto(%d, packet, %d, 0, %s, %d) => %s",
+	  functionname, sd, len, inet_ntoa(sin->sin_addr), tolen,
+	  strerror(err));
+#if WIN32
+	return -1;
+#else
+    if (retries > 2 || err == EPERM || err == EACCES || err == EADDRNOTAVAIL
+	|| err == EINVAL)
+      return -1;
+    sleeptime = 15 * (1 << (2 * retries));
+    error("Sleeping %d seconds then retrying", sleeptime);
+    fflush(stderr);
+    sleep(sleeptime);
+#endif
+  }
+  retries++;
+} while( res == -1);
+
+ PacketTrace::trace(PacketTrace::SENT, packet, len); 
+
+return res;
+}
+
+
 /* Send a pre-built IPv4 packet */
 int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetlen) {
   struct sockaddr_in sock;
@@ -1007,53 +1087,6 @@ int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetl
   return res;
 }
 
-/* Create and send all fragments of a pre-built IPv4 packet
- * Minimal MTU for IPv4 is 68 and maximal IPv4 header size is 60
- * which gives us a right to cut TCP header after 8th byte
- * (shouldn't we inflate the header to 60 bytes too?) */
-int send_frag_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, 
-			unsigned int packetlen, unsigned int mtu)
-{
-    struct ip *ip = (struct ip *) packet;
-    int headerlen = ip->ip_hl * 4; // better than sizeof(struct ip)
-    unsigned int datalen = packetlen - headerlen;
-    int fdatalen = 0, res = 0;
-
-    assert(headerlen <= (int) packetlen);
-    assert(headerlen >= 20 && headerlen <= 60); // sanity check (RFC791)
-    assert(mtu > 0 && mtu % 8 == 0); // otherwise, we couldn't set Fragment offset (ip->ip_off) correctly
-
-    if (datalen <= mtu) {
-        error("Warning: fragmentation (mtu=%i) requested but the payload is too small already (%i)", mtu, datalen);
-        return send_ip_packet(sd, eth, packet, packetlen);
-    }
-
-    u8 *fpacket = (u8 *) safe_malloc(headerlen + mtu);
-    memcpy(fpacket, packet, headerlen + mtu);
-    ip = (struct ip *) fpacket;
-
-    // create fragments and send them
-    for (int fragment = 1; fragment * mtu < datalen + mtu; fragment++) {
-        fdatalen = (fragment * mtu <= datalen ? mtu : datalen % mtu);
-        ip->ip_len = htons(headerlen + fdatalen);
-        ip->ip_off = htons((fragment-1) * mtu / 8);
-        if ((fragment-1) * mtu + fdatalen < datalen)
-            ip->ip_off |= htons(IP_MF);
-#if HAVE_IP_IP_SUM
-        ip->ip_sum = in_cksum((unsigned short *)ip, headerlen);
-#endif
-        if (fragment > 1) // copy data payload
-            memcpy(fpacket + headerlen, packet + headerlen + (fragment - 1) * mtu, fdatalen);
-        res = send_ip_packet(sd, eth, fpacket, headerlen + fdatalen);
-        if (res == -1)
-            break;
-    }
-
-    free(fpacket);
-
-    return res;
-}
-
 /* Builds an ICMP packet (including an IP header) by packing the fields
    with the given information.  It allocates a new buffer to store the
    packet contents, and then returns that buffer.  The packet is not
@@ -1113,19 +1146,6 @@ return build_ip_raw(source, victim, o.ttl, IPPROTO_ICMP, get_random_u16(),
 		    ping, icmplen, packetlen);
 }
 
-void readippacket(const u8 *packet, int readdata) {
-  struct ip *ip = (struct ip *) packet;
-  switch(ip->ip_p) {
-  case IPPROTO_UDP:
-    readudppacket(packet, readdata);
-    break;
-    /* Should add ICMP here at some point */
-  default:
-    readtcppacket(packet, readdata);
-    break;
-  }
-
-}
 
 /* A simple function I wrote to help in debugging, shows the important fields
    of a TCP packet*/
@@ -1659,7 +1679,9 @@ bool pcap_recv_timeval_valid() {
    with the given ip (ss) and mac address.  An existing entry for the
    IP ss will be overwritten with the new MAC address.  true is always
    returned for the set command. */
-bool NmapArpCache(int command, struct sockaddr_storage *ss, u8 *mac) {
+#define ARPCACHE_GET 1
+#define ARPCACHE_SET 2
+static bool NmapArpCache(int command, struct sockaddr_storage *ss, u8 *mac) {
   struct sockaddr_in *sin = (struct sockaddr_in *) ss;
   struct ArpCache { 
     u32 ip; /* Network byte order */
@@ -1856,7 +1878,7 @@ int setTargetMACIfAvailable(Target *target, struct link_header *linkhdr,
    broadcast MAC address.  The transmission is attempted up to 3
    times.  If none of these elicit a response, false will be returned.
    If the mac is determined, true is returned. */
-bool doArp(const char *dev, const u8 *srcmac, 
+static bool doArp(const char *dev, const u8 *srcmac, 
 	   const struct sockaddr_storage *srcip, 
 	   const struct sockaddr_storage *targetip, u8 *targetmac) {
   /* timeouts in microseconds ... the first ones are retransmit times, while 
@@ -2084,7 +2106,7 @@ struct dnet_collector_route_nfo {
   int numifaces;
 };
 
-int collect_dnet_routes(const struct route_entry *entry, void *arg) {
+static int collect_dnet_routes(const struct route_entry *entry, void *arg) {
   struct dnet_collector_route_nfo *dcrn = (struct dnet_collector_route_nfo *) arg;
   int i;
 
@@ -2122,7 +2144,7 @@ int collect_dnet_routes(const struct route_entry *entry, void *arg) {
   return 0;
 }
 
-int collect_dnet_interfaces(const struct intf_entry *entry, void *arg) {
+static int collect_dnet_interfaces(const struct intf_entry *entry, void *arg) {
   struct dnet_collector_route_nfo *dcrn = (struct dnet_collector_route_nfo *) arg;
   int i;
   int numifaces = dcrn->numifaces;
@@ -2840,41 +2862,6 @@ if (echots) *echots = 0;
 return 0;
 }
 
-int Sendto(char *functionname, int sd, const unsigned char *packet, int len, 
-	   unsigned int flags, struct sockaddr *to, int tolen) {
-
-struct sockaddr_in *sin = (struct sockaddr_in *) to;
-int res;
-int retries = 0;
-int sleeptime = 0;
-
-do {
-  if ((res = sendto(sd, (const char *) packet, len, flags, to, tolen)) == -1) {
-    int err = socket_errno();
-
-    error("sendto in %s: sendto(%d, packet, %d, 0, %s, %d) => %s",
-	  functionname, sd, len, inet_ntoa(sin->sin_addr), tolen,
-	  strerror(err));
-#if WIN32
-	return -1;
-#else
-    if (retries > 2 || err == EPERM || err == EACCES || err == EADDRNOTAVAIL
-	|| err == EINVAL)
-      return -1;
-    sleeptime = 15 * (1 << (2 * retries));
-    error("Sleeping %d seconds then retrying", sleeptime);
-    fflush(stderr);
-    sleep(sleeptime);
-#endif
-  }
-  retries++;
-} while( res == -1);
-
- PacketTrace::trace(PacketTrace::SENT, packet, len); 
-
-return res;
-}
-
 IPProbe::IPProbe() {
   packetbuflen = 0;
   packetbuf = NULL;
diff --git a/tcpip.h b/tcpip.h
index c9d992358..e78caad09 100644
--- a/tcpip.h
+++ b/tcpip.h
@@ -629,11 +629,6 @@ u8 *build_ip_raw(const struct in_addr *source, const struct in_addr *victim,
 int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, 
 		   unsigned int packetlen);
 
-/* Create and send all fragments of the pre-built packet */
-/* mtu = MTU - ipv4_headerlen */
-int send_frag_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, 
-			unsigned int packetlen, unsigned int mtu);
-
 /* Decoy versions of the raw packet sending functions ... */
 int send_tcp_raw_decoys( int sd, struct eth_nfo *eth, 
 			 const struct in_addr *victim, int ttl,
@@ -656,15 +651,6 @@ pcap_t *my_pcap_open_live(const char *device, int snaplen, int promisc,
 // invalid (Windows and Amiga), readip_pcap returns the time you called it.
 bool pcap_recv_timeval_valid();
 
-/* Returns a buffer of ASCII information about a packet that may look
-   like "TCP 127.0.0.1:50923 > 127.0.0.1:3 S ttl=61 id=39516 iplen=40
-   seq=625950769" or "ICMP PING (0/1) ttl=61 id=39516 iplen=40".
-   Since this is a static buffer, don't use threads or call twice
-   within (say) printf().  And certainly don't try to free() it!  The
-   returned buffer is NUL-terminated */
-const char *ippackethdrinfo(const u8 *packet, u32 len);
-/* Shows the most important fields of an IP packet (including dissecting TCP/UDP headers.  packet should point to the beginning of the IP header  */
-void readippacket(const u8 *packet, int readdata);
 /* A simple function I wrote to help in debugging, shows the important fields
    of a TCP packet*/
 int readtcppacket(const u8 *packet, int readdata);
@@ -726,8 +712,6 @@ bool setTargetNextHopMAC(Target *target);
 
 int islocalhost(const struct in_addr * const addr);
 int unblock_socket(int sd);
-int Sendto(char *functionname, int sd, const unsigned char *packet, int len, 
-	   unsigned int flags, struct sockaddr *to, int tolen);
 
 // Takes a protocol number like IPPROTO_TCP, IPPROTO_UDP, or
 // IPPROTO_TCP and returns a ascii representation (or "unknown" if it
@@ -744,19 +728,6 @@ int get_link_offset(char *device);
 char *readip_pcap(pcap_t *pd, unsigned int *len, long to_usec, 
 		  struct timeval *rcvdtime, struct link_header *linknfo);
 
-/* A trivial functon that maintains a cache of IP to MAC Address
-   entries.  If the command is ARPCACHE_GEt, this func looks for the
-   IPv4 address in ss and fills in the 'mac' parameter and returns
-   true if it is found.  Otherwise (not found), the function returns
-   false.  If the command is ARPCACHE_SET, the function adds an entry
-   with the given ip (ss) and mac address.  An existing entry for the
-   IP ss will be overwritten with the new MAC address.  true is always
-   returned for the set command. */
-#define ARPCACHE_GET 1
-#define ARPCACHE_SET 2
-bool NmapArpCache(int command, struct sockaddr_storage *ss, u8 *mac);
-
-
 /* Attempts to read one IPv4/Ethernet ARP reply packet from the pcap
    descriptor pd.  If it receives one, fills in sendermac (must pass
    in 6 bytes), senderIP, and rcvdtime (can be NULL if you don't care)
@@ -767,15 +738,6 @@ bool NmapArpCache(int command, struct sockaddr_storage *ss, u8 *mac);
 int read_arp_reply_pcap(pcap_t *pd, u8 *sendermac, struct in_addr *senderIP,
 		       long to_usec, struct timeval *rcvdtime);
 
-/* Issues an ARP request for the MAC of targetss (which will be placed
-   in targetmac if obtained) from the source IP (srcip) and source mac
-   (srcmac) given.  "The request is ussued using device dev to the
-   broadcast MAC address.  The transmission is attempted up to 3
-   times.  If none of these elicit a response, false will be returned.
-   If the mac is determined, true is returned. */
-bool doArp(const char *dev, u8 *srcmac, struct sockaddr_storage *srcip, 
-	   struct sockaddr_storage *targetip, u8 *targetmac);
-
 #ifndef HAVE_INET_ATON
 int inet_aton(register const char *, struct in_addr *);
 #endif
diff --git a/tty.cc b/tty.cc
index 6e3f19489..56a4c7493 100644
--- a/tty.cc
+++ b/tty.cc
@@ -127,7 +127,7 @@ extern NmapOps o;
 // Microsoft's runtime makes this fairly simple. :)
 void tty_init() { return; }
 static int tty_getchar() { return _kbhit() ? getch() : -1; }
-void tty_done() { return; }
+static void tty_done() { return; }
 
 #else
 #if !defined(O_NONBLOCK) && defined(O_NDELAY)
@@ -146,33 +146,6 @@ extern int tcsetattr(int fd, int actions, struct termios *termios_p);
 static int tty_fd = 0;
 static struct termios saved_ti;
 
-void tty_init()
-{
-	int fd;
-	struct termios ti;
-
-	if ((fd = open("/dev/tty", O_RDONLY | O_NONBLOCK)) < 0) return;
-
-#ifndef __CYGWIN32__
-	if (tcgetpgrp(fd) != getpid()) {
-		close(fd); return;
-	}
-#endif
-
-	tcgetattr(fd, &ti);
-	if (tty_fd == 0)
-	  saved_ti = ti;
-	ti.c_lflag &= ~(ICANON | ECHO);
-	ti.c_cc[VMIN] = 1;
-	ti.c_cc[VTIME] = 0;
-	tcsetattr(fd, TCSANOW, &ti);
-
-	if (tty_fd == 0) 
-	  tty_fd = fd;
-	
-	atexit(tty_done);
-}
-
 static int tty_getchar()
 {
 	int c, numChars;
@@ -200,7 +173,7 @@ static int tty_getchar()
 	return -1;
 }
 
-void tty_done()
+static void tty_done()
 {
 	int fd;
 
@@ -212,14 +185,45 @@ void tty_done()
 	close(fd);
 }
 
+/*
+ * Initializes the terminal for unbuffered non-blocking input. Also
+ * registers tty_done() via atexit().  You need to call this before
+ * you ever call keyWasPressed().
+ */
+void tty_init()
+{
+	int fd;
+	struct termios ti;
+
+	if ((fd = open("/dev/tty", O_RDONLY | O_NONBLOCK)) < 0) return;
+
+#ifndef __CYGWIN32__
+	if (tcgetpgrp(fd) != getpid()) {
+		close(fd); return;
+	}
+#endif
+
+	tcgetattr(fd, &ti);
+	if (tty_fd == 0)
+	  saved_ti = ti;
+	ti.c_lflag &= ~(ICANON | ECHO);
+	ti.c_cc[VMIN] = 1;
+	ti.c_cc[VTIME] = 0;
+	tcsetattr(fd, TCSANOW, &ti);
+
+	if (tty_fd == 0) 
+	  tty_fd = fd;
+	
+	atexit(tty_done);
+}
+
 #endif  //!win32
 
-/* This is the best method here. It will catch all of the predefined
+/* Catches all of the predefined
    keypresses and interpret them, and it will also tell you if you
    should print anything. A value of true being returned means a
    nonstandard key has been pressed and the calling method should
    print a status message */
-
 bool keyWasPressed()
 {
   int c;
diff --git a/tty.h b/tty.h
index 26f14c54b..cdb181eb1 100644
--- a/tty.h
+++ b/tty.h
@@ -97,15 +97,15 @@
  ***************************************************************************/
 
 /*
- * Initializes the terminal for unbuffered non-blocking input. Also registers
- * tty_done() via atexit().
+ * Initializes the terminal for unbuffered non-blocking input. Also
+ * registers tty_done() via atexit().  You need to call this before
+ * you ever call keyWasPressed().
  */
 void tty_init();
 
-/*
- * Restores the terminal parameters and closes the file descriptor.
- */
-void tty_done();
-
-/* This is the best method here. It will catch all of the predefined keypresses and interpret them, and it will also tell you if you should print anything. A value of true being returned means a nonstandard key has been pressed and the calling method should print a status message */
+/* Catches all of the predefined keypresses and interpret them, and it
+   will also tell you if you should print anything. A value of true
+   being returned means a nonstandard key has been pressed and the
+   calling method should print a status message */
 bool keyWasPressed();
+
diff --git a/utils.cc b/utils.cc
index fdc7d7e98..23c8bdd70 100644
--- a/utils.cc
+++ b/utils.cc
@@ -371,71 +371,6 @@ int Send(int sd, const void *msg, size_t len, int flags) {
   return (res < 0)? -1 : (int) len;
 }
 
-// Write data to a file descriptor, keep retrying until an error or the full length
-// is written.  Returns -1 if there is an error, or len if the full length was sent.
-// Note that this does NOT work well on Windows using sockets -- so use Send() above 
-// for those.  I don't know if it works with regular files on Windows with files).
-ssize_t Write(int fd, const void *buf, size_t count) {
-  int res;
-  unsigned int len;
-
-  len = 0;
-  do {
-    res = write(fd,(char *) buf + len,count - len);
-    if (res > 0)
-      len += res;
-  } while(len < count && (res != -1 || socket_errno() == EINTR));
-
-  return (res == -1)? -1 : (int) count;
-}
-
-
-/* gcd_1 and gcd_n_long were sent in by Peter Kosinar <goober@gjh.sk> 
-   Not needed for gcd_n_long, just for the case you'd want to have gcd
-   for two arguments too. */
-unsigned long gcd_ulong(unsigned long a, unsigned long b)
-{
-  /* Shorter
-     while (b) { a%=b; if (!a) return b; b%=a; } */
-  
-  /* Faster */
-  unsigned long c; 
-  if (a<b) { c=a; a=b; b=c; }
-  while (b) { c=a%b; a=b; b=c; }
-  
-  /* Common for both */
-  return a;
-}
-
-unsigned long gcd_n_ulong(long nvals, unsigned long *val)
- {
-   unsigned long a,b,c;
-   
-   if (!nvals) return 1;
-   a=*val;
-   for (nvals--;nvals;nvals--)
-     {
-       b=*++val;
-       if (a<b) { c=a; a=b; b=c; }
-       while (b) { c=a%b; a=b; b=c; }
-     }
-   return a;
- }
-
-unsigned int gcd_uint(unsigned int a, unsigned int b)
-{
-  /* Shorter
-     while (b) { a%=b; if (!a) return b; b%=a; } */
-  
-  /* Faster */
-  unsigned int c; 
-  if (a<b) { c=a; a=b; b=c; }
-  while (b) { c=a%b; a=b; b=c; }
-  
-  /* Common for both */
-  return a;
-}
-
 unsigned int gcd_n_uint(int nvals, unsigned int *val)
  {
    unsigned int a,b,c;
diff --git a/utils.h b/utils.h
index fb668b16a..c22932826 100644
--- a/utils.h
+++ b/utils.h
@@ -207,11 +207,6 @@ char *chomp(char *string);
 // is sent.  Returns -1 if there is an error, or len if the full length was sent.
 int Send(int sd, const void *msg, size_t len, int flags);
 
-ssize_t Write(int fd, const void *buf, size_t count);
-
-unsigned long gcd_ulong(unsigned long a, unsigned long b);
-unsigned int gcd_uint(unsigned int a, unsigned int b);
-unsigned long gcd_n_ulong(long nvals, unsigned long *val);
 unsigned int gcd_n_uint(int nvals, unsigned int *val);
 
 int arg_parse(const char *command, char ***argv);