Nmap 4.02Alpha1 release for Everdream

2025-12-06 04:31:29 +00:00 · 2006-03-03 23:12:14 +00:00
parent bd46c3ae39
commit 848ad2a96a
19 changed files with 164 additions and 116 deletions
--- a/28
+++ b/28
@@ -1,4 +1,32 @@
 # Nmap Changelog ($Id$); -*-text-*-
+Nmap 4.02ALPHA1
+
+o Fixed a flaw in the scan engine which could (in rare cases)
+  lead to a deadlock situation that prevents a scan from completing.
+  Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reporting
+  and helping to debug the problem.
+
+o If the pcap_open_live() call (initiates sniffing) fails, Nmap now
+  tries up to two more times after waiting a little while. This is
+  attempt to work around a rare bug on Windows in which the
+  pcap_open_live() fails for unknown reasons.
+
+o Fixed a flaw in the runtime interaction in which Nmap would include
+  hosts currently being scanned in the number of hosts "completed"
+  statistic.
+
+o Fixed a crash in OS scan which could occur on Windows when a DHCP
+  lease issue causes the system to lose its IP address.  Nmap still
+  quits, but at least it gives a proper error message now.  Thanks to
+  Ganga Bhavani (GBhavani(a)everdreamcorp.com) for the patch.
+
+o Applied more than half a dozen small code cleanup patches from
+  Kris Katterjohn (kjak(a)ispwest.com).
+
+o Modified the configure script to accept CXX when specified as an
+  absolute path rather than just the executable name.  Thanks to
+  Daniel Roethlisberger (daniel(a)roe.ch) for this patch.
+
 Nmap 4.01

 o Fixed a bug that would cause bogus reverse-DNS resolution on
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-export NMAP_VERSION = 4.01
+export NMAP_VERSION = 4.02Alpha1
 NMAP_NAME= Nmap
 NMAP_URL= http://www.insecure.org/nmap/
 NMAP_PLATFORM=@host@
--- a/NmapOps.cc
+++ b/NmapOps.cc
@@ -177,17 +177,13 @@ void NmapOps::Initialize() {
  char tmpxsl[MAXPATHLEN];

  setaf(AF_INET);
-#ifndef WIN32
-# ifdef __amigaos__
-    isr00t = 1;
-# else
-    if (getenv("NMAP_PRIVILEGED"))
-      isr00t = 1;
-    else
-      isr00t = !(geteuid());
-# endif // __amigaos__
-#else
+#if defined WIN32 || defined __amigaos__
  isr00t = 1;
+#else
+  if (getenv("NMAP_PRIVILEGED"))
+    isr00t = 1;
+  else
+    isr00t = !(geteuid());
 #endif
  debugging = DEBUGGING;
  verbose = DEBUGGING;
--- a/3
+++ b/3
@@ -2649,7 +2649,8 @@ else
  ac_cv_prog_CXXPROG="$CXXPROG" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
+as_dummy=""$PATH":/"
+for as_dir in $as_dummy
 do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
--- a/configure.ac
+++ b/configure.ac
@@ -42,7 +42,7 @@ AC_PROG_CXX
 if test -n "$GXX"; then
      CXXFLAGS="$CXXFLAGS -Wall "
 fi
-AC_CHECK_PROG(CXXPROG, "$CXX", "AVAILABLE", "MISSING")
+AC_CHECK_PROG(CXXPROG, "$CXX", "AVAILABLE", "MISSING", "$PATH":/)
 if test $CXXPROG = "MISSING"; then
  AC_MSG_ERROR([Could not locate a C++ compiler. If it exists, add it to your PATH or give configure the CXX=path_to_compiler argument.  Otherwise, install a C++ compiler such as g++ or install a binary package of Nmap (see http://www.insecure.org/nmap/nmap_download.html ))])
 fi
--- a/docs/nmap.1
+++ b/docs/nmap.1
@@ -2,7 +2,7 @@
 .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
 .\" Instead of manually editing it, you probably should edit the DocBook XML
 .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NMAP" "1" "02/16/2006" "" "Nmap Reference Guide"
+.TH "NMAP" "1" "03/02/2006" "" "Nmap Reference Guide"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -362,12 +362,12 @@ Tells Nmap to
 \fIalways\fR
 do reverse DNS resolution on the target IP addresses. Normally this is only performed when a machine is found to be alive.
 .TP
-\fB\-\-system_dns\fR (Use system DNS resolver)
+\fB\-\-system\-dns\fR (Use system DNS resolver)
 By default, Nmap resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses. Many requests (often dozens) are performed in parallel for performance. Specify this option if you wish to use your system resolver instead (one IP at a time via the getnameinfo() call). This is slower and rarely useful unless there is a bug in the Nmap DNS code \-\- please contact us if that is the case. The system resolver is always used for IPv6 scans.
 .TP
-\fB\-\-dns_servers <server1[,server2],...> \fR (Servers to use for reverse DNS queries)
+\fB\-\-dns\-servers <server1[,server2],...> \fR (Servers to use for reverse DNS queries)
 Normally Nmap will try to determine the DNS servers from your resolv.conf file (UNIX) or the registry (Win32). Alternatively, you may use this option to specify your own servers. This option is not honored if you are using
-\fB\-\-system_dns\fR
+\fB\-\-system\-dns\fR
 or an IPv6 scan. Using multiple DNS servers is often faster than querying just one.
 .SH "PORT SCANNING BASICS"
 .PP
@@ -744,6 +744,16 @@ When Nmap is unable to detect a perfect OS match, it sometimes offers up near\-m
 One of my highest Nmap development priorities has always been performance. A default scan (\fBnmap \fR\fB\fIhostname\fR\fR) of a host on my local network takes a fifth of a second. That is barely enough time to blink, but adds up when you are scanning tens or hundreds of thousands of hosts. Moreover, certain scan options such as UDP scanning and version detection can increase scan times substantially. So can certain firewall configurations, particularly response rate limiting. While Nmap utilizes parallelism and many advanced algorithms to accelerate these scans, the user has ultimate control over how Nmap runs. Expert users carefully craft Nmap commands to obtain only the information they care about while meeting their time constraints.
 .PP
 Techniques for improving scan times include omitting non\-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). Optimizing timing parameters can also make a substantial difference. Those options are listed below.
+.PP
+Some options accept a
+time
+parameter. This is specified in milliseconds by default, though you can append \(oqs\(cq, \(oqm\(cq, or \(oqh\(cq to the value to specify seconds, minutes, or hours. So the
+\fB\-\-host\-timeout\fR
+arguments
+900000,
+900s, and
+15m
+all do the same thing.
 .TP
 \fB\-\-min\-hostgroup <numhosts>\fR; \fB\-\-max\-hostgroup <numhosts>\fR (Adjust parallel scan group sizes)
 Nmap has the ability to port scan or version scan multiple hosts in parallel. Nmap does this by dividing the target IP space into groups and then scanning one group at a time. In general, larger groups are more efficient. The downside is that host results can't be provided until the whole group is finished. So if Nmap started out with a group size of 50, the user would not receive any reports (except for the updates offered in verbose mode) until the first 50 hosts are completed.
@@ -770,14 +780,10 @@ option is sometimes set to one to prevent Nmap from sending more than one probe
 \fB\-\-scan\-delay\fR
 (discussed later), although the latter usually serves the purpose well enough by itself.
 .TP
-\fB\-\-min_rtt_timeout <time>\fR, \fB\-\-max\-rtt\-timeout <time>\fR, \fB\-\-initial\-rtt\-timeout <time>\fR (Adjust probe timeouts)
+\fB\-\-min\-rtt\-timeout <time>\fR, \fB\-\-max\-rtt\-timeout <time>\fR, \fB\-\-initial\-rtt\-timeout <time>\fR (Adjust probe timeouts)
 Nmap maintains a running timeout value for determining how long it will wait for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes. If the network latency shows itself to be significant and variable, this timeout can grow to several seconds. It also starts at a conservative (high) level and may stay that way for a while when Nmap scans unresponsive hosts.
 .sp
-These options take a value in milliseconds, or you can append
-s,
-m, or
-h
-to the argument to specify a time in seconds, minutes, or hours. Specifying a lower
+Specifying a lower
 \fB\-\-max\-rtt\-timeout\fR
 and
 \fB\-\-initial\-rtt\-timeout\fR
@@ -790,7 +796,7 @@ value. If routing is involved, ping a host on the network first with the ICMP pi
 and triple or quadruple it for the
 \fB\-\-max\-rtt\-timeout\fR. I generally do not set the maximum rtt below 100ms, no matter what the ping times are. Nor do I exceed 1000ms.
 .sp
-\fB\-\-min_rtt_timeout\fR
+\fB\-\-min\-rtt\-timeout\fR
 is a rarely used option that could be useful when a network is so unreliable that even Nmap's default is too aggressive. Since Nmap only reduces the timeout down to the minimum when the network seems to be reliable, this need is unusual and should be reported as a bug to the nmap\-dev mailing list.
 .TP
 \fB\-\-max\-retries <numtries>\fR (Specify the maximum number of port scan probe retransmissions)
@@ -809,22 +815,14 @@ expire and losing all information about the target.
 \fB\-\-host\-timeout <time>\fR (Give up on slow target hosts)
 Some hosts simply take a
 \fIlong\fR
-time to scan. This may be due to poorly performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time. Sometimes it is best to cut your losses and skip those hosts initially. This can be done by specifying
+time to scan. This may be due to poorly performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time. Sometimes it is best to cut your losses and skip those hosts initially. Specify
 \fB\-\-host\-timeout\fR
-with the number of milliseconds you are willing to wait. Alternatively, you can append
-s,
-m, or
-h
-to the argument to specify a timeout in seconds, minutes, or hours. I often specify
+with the maximum amoung of time you are willing to wait. I often specify
 30m
 to ensure that Nmap doesn't waste more than half an hour on a single host. Note that Nmap may be scanning other hosts at the same time during that half an hour as well, so it isn't a complete loss. A host that times out is skipped. No port table, OS detection, or version detection results are printed for that host.
 .TP
 \fB\-\-scan\-delay <time>\fR; \fB\-\-max_scan\-delay <time>\fR (Adjust delay between probes)
-This option causes Nmap to wait at least the given number of milliseconds between each probe it sends to a given host. As with many other timing options, you can append
-s,
-m, or
-h
-to the argument to specify a delay in seconds, minutes, or hours instead. This is particularly useful in the case of rate limiting. Solaris machines (among many others) will usually respond to UDP scan probe packets with only one ICMP message per second. Any more than that sent by Nmap will be wasteful. A
+This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting. Solaris machines (among many others) will usually respond to UDP scan probe packets with only one ICMP message per second. Any more than that sent by Nmap will be wasteful. A
 \fB\-\-scan\-delay\fR
 of
 1s
@@ -887,7 +885,7 @@ does the equivalent of
 and sets the maximum TCP scan delay to 10 milliseconds.
 \fBT5\fR
 does the equivalent of
-\fB\-\-max\-rtt\-timeout 300 \-\-min_rtt_timeout 50 \-\-initial\-rtt\-timeout 250 \-\-max\-retries 2 \-\-host\-timeout 900000\fR
+\fB\-\-max\-rtt\-timeout 300 \-\-min\-rtt\-timeout 50 \-\-initial\-rtt\-timeout 250 \-\-max\-retries 2 \-\-host\-timeout 15m\fR
 as well as setting the maximum TCP scan delay to 5ms.
 .SH "FIREWALL/IDS EVASION AND SPOOFING"
 .PP
@@ -1251,7 +1249,7 @@ During the execution of nmap, all key presses are captured. This allows you to i
 \fIlowercase letters increase\fR
 the amount of printing, and
 \fIuppercase letters decrease\fR
-the printing. You may also press \(oq\fI?\fR\(cq for
+the printing. You may also press \(oq\fI?\fR\(cq for help.
 .TP
 \fBv\fR / \fBV\fR
 Increase / Decrease the Verbosity
--- a/docs/nmap.usage.txt
+++ b/docs/nmap.usage.txt
@@ -1,4 +1,4 @@
-Nmap 4.01 ( http://www.insecure.org/nmap/ )
+Nmap 4.02Alpha1 ( http://www.insecure.org/nmap/ )
 Usage: nmap [Scan Type(s)] [Options] {target specification}
 TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
@@ -39,14 +39,16 @@ OS DETECTION:
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
 TIMING AND PERFORMANCE:
+  Options which take <time> are in milliseconds, unless you append 's'
+  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T[0-5]: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
-  --min-parallelism/max-parallelism <msec>: Probe parallelization
-  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec>: Specifies
+  --min-parallelism/max-parallelism <time>: Probe parallelization
+  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
-  --host-timeout <msec>: Give up on target after this long
-  --scan-delay/--max-scan-delay <msec>: Adjust delay between probes
+  --host-timeout <time>: Give up on target after this long
+  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
 FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
--- a/idle_scan.cc
+++ b/idle_scan.cc
@@ -372,6 +372,8 @@ void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
    memcpy(proxy->eth.srcmac, proxy->host.SrcMACAddress(), 6);
    memcpy(proxy->eth.dstmac, proxy->host.NextHopMACAddress(), 6);
    proxy->eth.ethsd = eth_open(proxy->host.deviceName());
+    if (proxy->eth.ethsd == NULL)
+      fatal("%s: Failed to open ethernet device (%s)", __FUNCTION__, proxy->host.deviceName());
    proxy->rawsd = -1;
    proxy->ethptr = &proxy->eth;
  } else {
@@ -665,6 +667,8 @@ int idlescan_countopen2(struct idle_proxy_info *proxy,
    memcpy(eth.srcmac, target->SrcMACAddress(), 6);
    memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
    eth.ethsd = eth_open(target->deviceName());
+    if (eth.ethsd == NULL)
+      fatal("%s: Failed to open ethernet device (%s)", __FUNCTION__, target->deviceName());
  } else eth.ethsd = NULL;

  /* I start by sending out the SYN pr0bez */
--- a/3
+++ b/3
@@ -16065,7 +16065,8 @@ PU(Resp=N)
 # Motorola Surfboard Cable modem Software Version: SB5100-2.3.1.3-SCM00-NOSHHardware Version: 3MIB+Version: IIGUI Version: 1.0VxWorks Version: 5.4
 # Motorola Cable Modem SB5100E SW_REV: SB5100E-2.3.1.3-SCM01-NOSH
 # Motorola SB5100 Surfboard 5100 Cable Modem vSB5100-2.3.1.6-SCM01-NOSH
-Fingerprint Motorola Cable Modem SB5100/CG4500E or Thomson Cable Modem TCM390
+# Thomson Cable Modem TCM410
+Fingerprint Motorola (SB5100/CG4500E) or Thomson (TCM390/TCM410) Cable Modem
 Class Motorola | VxWorks || broadband router
 TSeq(Class=64K%IPID=I%TS=U)
 T1(DF=N%W=2000%ACK=S++%Flags=AS%Ops=MNW)
--- a/nmap.cc
+++ b/nmap.cc
@@ -1313,6 +1313,7 @@ int nmap_main(int argc, char *argv[]) {
      delete currenths;
      Targets.pop_back();
    }
+    o.numhosts_scanning = 0;
  } while(!o.max_ips_to_scan || o.max_ips_to_scan > o.numhosts_scanned);
  
  delete hstate;
@@ -1671,14 +1672,16 @@ printf("%s %s ( %s )\n"
       "  --osscan-limit: Limit OS detection to promising targets\n"
       "  --osscan-guess: Guess OS more aggressively\n"
       "TIMING AND PERFORMANCE:\n"
+       "  Options which take <time> are in milliseconds, unless you append 's'\n"
+       "  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).\n"
       "  -T[0-5]: Set timing template (higher is faster)\n"
       "  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes\n"
-       "  --min-parallelism/max-parallelism <msec>: Probe parallelization\n"
-       "  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec>: Specifies\n"
+       "  --min-parallelism/max-parallelism <time>: Probe parallelization\n"
+       "  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies\n"
       "      probe round trip time.\n"
       "  --max-retries <tries>: Caps number of port scan probe retransmissions.\n"
-       "  --host-timeout <msec>: Give up on target after this long\n"
-       "  --scan-delay/--max-scan-delay <msec>: Adjust delay between probes\n"
+       "  --host-timeout <time>: Give up on target after this long\n"
+       "  --scan-delay/--max-scan-delay <time>: Adjust delay between probes\n"
       "FIREWALL/IDS EVASION AND SPOOFING:\n"
       "  -f; --mtu <val>: fragment packets (optionally w/given MTU)\n"
       "  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys\n"
--- a/nmap.h
+++ b/nmap.h
@@ -454,7 +454,6 @@ int listen_icmp(int icmpsock, unsigned short outports[],
 int nmap_main(int argc, char *argv[]);

 /* general helper functions */
-void *safe_malloc(int size);
 char *grab_next_host_spec(FILE *inputfd, int argc, char **fakeargv);
 int parse_targets(struct targets *targets, char *h);
 char *statenum2str(int state);
--- a/nmap_dns.cc
+++ b/nmap_dns.cc
@@ -431,7 +431,7 @@ int encoded_name_to_normal(unsigned char *buf, char *output, int outputsize){

 // Takes a pointer to the start of a DNS name inside a packet. It makes
 // sure that there is enough space in the name, deals with compression, etc.
-int advance_past_dns_name(unsigned char *buf, int buflen, int curbuf, 
+int advance_past_dns_name(u8 *buf, int buflen, int curbuf, 
 			  int *nameloc) {
  int compression=0;

@@ -443,7 +443,7 @@ int advance_past_dns_name(unsigned char *buf, int buflen, int curbuf,

    // Compression is OK
    compression = curbuf+2;
-    curbuf = ((buf[curbuf+1] & 0xFF) + ((buf[curbuf] & 0xFF) << 8)) & 0x3FFF;
+    curbuf = (buf[curbuf+1] + (buf[curbuf] << 8)) & 0x3FFF;
    if (curbuf < 0 || curbuf >= buflen) return -1;
  }

@@ -462,7 +462,7 @@ int advance_past_dns_name(unsigned char *buf, int buflen, int curbuf,
 // Nsock read handler. One nsock read for each DNS server exists at each
 // time. This function uses various helper functions as defined above.
 void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
-  unsigned char *buf;
+  u8 *buf;
  int buflen, curbuf=0;
  int i, nameloc, rdlen, atype, aclass;
  int errcode=0;
@@ -485,7 +485,7 @@ void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
  // Size of header is 12, and we must have additional data as well
  if (buflen <= 12) return;

-  packet_id = (buf[1] & 0xFF) + ((buf[0] & 0xFF) << 8);
+  packet_id = buf[1] + (buf[0] << 8);

  // Check that this is a response, standard query, and that no truncation was performed
  // 0xFA == 11111010 (we're not concerned with AA or RD bits)
@@ -493,14 +493,14 @@ void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {

  // Check that Recursion is available, the zero field is all zeros
  // and there is no error condition:
-  if ((buf[3] & 0xFF) != 0x80) {
+  if (buf[3] != 0x80) {
    if ((buf[3] & 0xF) == 2) errcode = 2;
    else if ((buf[3] & 0xF) == 3) errcode = 3;
    else return;
  }

-  queries = (buf[5] & 0xFF) + ((buf[4] & 0xFF) << 8);
-  answers = (buf[7] & 0xFF) + ((buf[6] & 0xFF) << 8);
+  queries = buf[5] + (buf[4] << 8);
+  answers = buf[7] + (buf[6] << 8);

  // With a normal resolution, we should have 1+ queries and 1+ answers.
  // If the domain doesn't resolve (NXDOMAIN or SERVFAIL) we should have
@@ -549,9 +549,9 @@ void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
    // RDLENGTH (2) fields
    if (curbuf + 10 >= buflen) return;

-    atype = (buf[curbuf+1] & 0xFF) + ((buf[curbuf+0] & 0xFF) << 8);
-    aclass = (buf[curbuf+3] & 0xFF) + ((buf[curbuf+2] & 0xFF) << 8);
-    rdlen = (buf[curbuf+9] & 0xFF) + ((buf[curbuf+8] & 0xFF) << 8);
+    atype = buf[curbuf+1] + (buf[curbuf+0] << 8);
+    aclass = buf[curbuf+3] + (buf[curbuf+2] << 8);
+    rdlen = buf[curbuf+9] + (buf[curbuf+8] << 8);
    curbuf += 10;

    if (atype == 12 && aclass == 1) {
--- a/nmap_winconfig.h
+++ b/nmap_winconfig.h
@@ -104,7 +104,7 @@
 #ifndef NMAP_WINCONFIG_H
 #define NMAP_WINCONFIG_H

-#define NMAP_VERSION "4.01"
+#define NMAP_VERSION "4.02Alpha1"
 #define NMAP_NAME "Nmap"
 #define NMAP_URL "http://www.insecure.org/nmap"
 #define NMAP_PLATFORM "i686-pc-windows-windows"
--- a/osscan.cc
+++ b/osscan.cc
@@ -291,6 +291,9 @@ get_random_bytes(&sequence_base, sizeof(unsigned int));
   memcpy(eth.srcmac, target->SrcMACAddress(), 6);
   memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
   eth.ethsd = eth_open(target->deviceName());
+   if (eth.ethsd == NULL)
+     fatal("%s: Failed to open ethernet device (%s)", __FUNCTION__, target->deviceName());
+
   rawsd = -1;
   ethptr = &eth;
  } else {
--- a/output.cc
+++ b/output.cc
@@ -1394,7 +1394,7 @@ void printStatusMessage() {
  
  log_write(LOG_STDOUT, 
 	    "Stats: %d:%02d:%02d elapsed; %d hosts completed (%d up), %d undergoing %s\n", 
-	    time/60/24, time/60 % 24, time % 60, o.numhosts_scanned, 
+	    time/60/24, time/60 % 24, time % 60, o.numhosts_scanned - o.numhosts_scanning, 
 	    o.numhosts_up, o.numhosts_scanning, scantype2str(o.scantype));
 }

--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -807,6 +807,7 @@ GroupScanStats::~GroupScanStats() {

  /* Returns true if the GLOBAL system says that sending is OK.*/
 bool GroupScanStats::sendOK() {
+  int recentsends;

  if (USI->scantype == CONNECT_SCAN && CSI->numSDs >= CSI->maxSocketsAllowed)
    return false;
@@ -815,7 +816,9 @@ bool GroupScanStats::sendOK() {
     the last listen call, at least for systems such as Windoze that
     don't give us a proper pcap time.  Also for connect scans, since
     we don't get an exact response time with them either. */
-  if (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid()) {
+  recentsends = USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait;
+  if (recentsends > 0 && 
+      (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid())) {
    int to_ms = (int) MAX(to.srtt * .75 / 1000, 50);
    if (TIMEVAL_MSEC_SUBTRACT(USI->now, last_wait) > to_ms)
      return false;
@@ -828,7 +831,7 @@ bool GroupScanStats::sendOK() {
     responses when I scan localhost.  And half of those are the @#$#
     sends being received.  I think I'll put a limit of 50 sends per
     wait */
-  if (USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait >= 50)
+  if (recentsends >= 50)
    return false;

  /* When there is only one target left, let the host congestion
@@ -969,7 +972,7 @@ bool HostScanStats::sendOK(struct timeval *when) {

  getTiming(&tmng);
  if (tmng.cwnd >= num_probes_active + .5 && 
-      (freshPortsLeft() || num_probes_waiting_retransmit)) {
+      (freshPortsLeft() || num_probes_waiting_retransmit || !retry_stack.empty())) {
    if (when) *when = USI->now;
    return true;
  }
@@ -3293,7 +3296,7 @@ void processData(UltraScanInfo *USI) {
 	  if (tryno_capped && lastRetryCappedWarning != USI) {
 	    /* Perhaps I should give this on a per-host basis.  Oh
 	       well, hopefully it is rare anyway. */
-	    printf("Warning: Finishing early because retransmission cap hit.\n");
+	    printf("Warning: Giving up on port early because retransmission cap hit.\n");
 	    lastRetryCappedWarning = USI;
 	  }
 	  continue;
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -1785,10 +1785,7 @@ static int scanThroughTunnel(nsock_pool nsp, nsock_iod nsi, ServiceGroup *SG,
    return 0;
  }

-#ifndef HAVE_OPENSSL
-  return 0;
-#endif
-
+#ifdef HAVE_OPENSSL
  if (svc->tunnel != SERVICE_TUNNEL_NONE) {
    // Another tunnel type has already been tried.  Let's not go recursive.
    return 0;
@@ -1808,6 +1805,9 @@ static int scanThroughTunnel(nsock_pool nsp, nsock_iod nsi, ServiceGroup *SG,
   svc->resetProbes(true);
  startNextProbe(nsp, nsi, SG, svc, true);
  return 1;
+#else
+  return 0;
+#endif
 }

 /* Prints completion estimates and the like when appropriate */
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -527,40 +527,42 @@ const char *ippackethdrinfo(const u8 *packet, u32 len) {
    case 0:
      strcpy(icmptype, "Echo reply"); break;
    case 3:
-      if (ping->code == 0)
-	strcpy(icmptype, "network unreachable");
-      else if (ping->code == 1)
-	strcpy(icmptype, "host unreachable");
-      else if (ping->code == 2)
-	strcpy(icmptype, "protocol unreachable");
-      else if (ping->code == 3)
-	strcpy(icmptype, "port unreachable");
-      else if (ping->code == 4)
-	strcpy(icmptype, "fragmentation required");
-      else if (ping->code == 5)
-	strcpy(icmptype, "source route failed");
-      else if (ping->code == 6)
-	strcpy(icmptype, "destination network unknown");
-      else if (ping->code == 7)
-	strcpy(icmptype, "destination host unknown");
-      else if (ping->code == 8)
-	strcpy(icmptype, "source host isolated");
-      else if (ping->code == 9)
-	strcpy(icmptype, "destination network administratively prohibited");
-      else if (ping->code == 10)
-	strcpy(icmptype, "destination host administratively prohibited");
-      else if (ping->code == 11)
-	strcpy(icmptype, "network unreachable for TOS");
-      else if (ping->code == 12)
-	strcpy(icmptype, "host unreachable for TOS");
-      else if (ping->code == 13)
-	strcpy(icmptype, "communication administratively prohibited by filtering");
-      else if (ping->code == 14)
-	strcpy(icmptype, "host precedence violation");
-      else if (ping->code == 15)
-	strcpy(icmptype, "precedence cutoff in effect");
-      else
-	strcpy(icmptype, "unknown unreachable code");
+      switch (ping->code) {
+      case 0:
+	strcpy(icmptype, "network unreachable"); break;
+      case 1:
+	strcpy(icmptype, "host unreachable"); break;
+      case 2:
+	strcpy(icmptype, "protocol unreachable"); break;
+      case 3:
+	strcpy(icmptype, "port unreachable"); break;
+      case 4:
+	strcpy(icmptype, "fragmentation required"); break;
+      case 5:
+	strcpy(icmptype, "source route failed"); break;
+      case 6:
+	strcpy(icmptype, "destination network unknown"); break;
+      case 7:
+	strcpy(icmptype, "destination host unknown"); break;
+      case 8:
+	strcpy(icmptype, "source host isolated"); break;
+      case 9:
+	strcpy(icmptype, "destination network administratively prohibited"); break;
+      case 10:
+	strcpy(icmptype, "destination host administratively prohibited"); break;
+      case 11:
+	strcpy(icmptype, "network unreachable for TOS"); break;
+      case 12:
+	strcpy(icmptype, "host unreachable for TOS"); break;
+      case 13:
+	strcpy(icmptype, "communication administratively prohibited by filtering"); break;
+      case 14:
+	strcpy(icmptype, "host precedence violation"); break;
+      case 15:
+	strcpy(icmptype, "precedence cutoff in effect"); break;
+      default:
+	strcpy(icmptype, "unknown unreachable code"); break;
+      }
      break;
    case 4:
      strcpy(icmptype, "source quench"); break;
@@ -696,6 +698,7 @@ pcap_t *my_pcap_open_live(const char *device, int snaplen, int promisc,
  char err0r[PCAP_ERRBUF_SIZE];
  pcap_t *pt;
  char pcapdev[128];
+  int failed = 0;
 #ifdef WIN32
 /* Nmap normally uses device names obtained through dnet for interfaces, but Pcap has its own
 naming system.  So the conversion is done here */
@@ -706,12 +709,21 @@ naming system.  So the conversion is done here */
 #else
  Strncpy(pcapdev, device, sizeof(pcapdev));
 #endif
-  if (!((pt = pcap_open_live(pcapdev, snaplen, promisc, to_ms, err0r)))) {
-    fatal("pcap_open_live: %s\nThere are several possible reasons for this, depending on your operating system:\n"
+  do {
+    pt = pcap_open_live(pcapdev, snaplen, promisc, to_ms, err0r);
+    if (!pt) {
+      failed++;
+      if (failed >= 3) {
+fatal("Call to pcap_open_live(%s, %d, %d, %d) failed three times. Reported error: %s\nThere are several possible reasons for this, depending on your operating system:\n"
          "LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.\n"
          "*BSD:  If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support.  If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod).\n"
-          "SOLARIS:  If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun.  I don't think Solaris can support advanced localhost scans.  You can probably use \"-P0 -sT localhost\" though.\n\n", err0r);
-  }
+          "SOLARIS:  If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun.  I don't think Solaris can support advanced localhost scans.  You can probably use \"-P0 -sT localhost\" though.\n\n", pcapdev, snaplen, promisc, to_ms, err0r);
+      } else {
+	error("pcap_open_live(%s, %d, %d, %d) FAILLED. Reported error: %s.  Will wait %d seconds then retry.", pcapdev, snaplen, promisc, to_ms, err0r, (int) pow(5, failed));	
+      }
+      sleep((int) pow(5, failed));
+    }
+  } while (!pt);

 #ifdef WIN32
  /* We want any responses back ASAP */
@@ -2728,7 +2740,7 @@ int block_socket(int sd) {
 #ifdef WIN32
  unsigned long options=0;
  if(sd == 501) return 1;
-  ioctlsocket(sd, FIONBIO, (unsigned long *)&options);
+  ioctlsocket(sd, FIONBIO, &options);
 #else
  int options;
  options = (~O_NONBLOCK) & fcntl(sd, F_GETFL);
--- a/utils.cc
+++ b/utils.cc
@@ -197,15 +197,13 @@ char *strerror(int errnum) {
 /* Like the perl equivialent -- It removes the terminating newline from string
   IF one exists.  It then returns the POSSIBLY MODIFIED string */
 char *chomp(char *string) {
-  int len;
-  len = strlen(string);
-  if (len < 1)
-    return string;
-  if (string[len - 1] != '\n')
-    return string;  
-  if (len > 1 && string[len-2] == '\r') {
-    string[len-2] = '\0';
-  } else string[len-1] = '\0';
+  int len = strlen(string);
+  if (len && string[len - 1] == '\n') {
+    if (len > 1 && string[len - 2] == '\r')
+      string[len - 2] = '\0';
+    else
+      string[len - 1] = '\0';
+  }
  return string;
 }