From 848ad2a96aacf5c49407d6b416145dba3c952d21 Mon Sep 17 00:00:00 2001
From: fyodor <fyodor@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Fri, 3 Mar 2006 23:12:14 +0000
Subject: [PATCH] Nmap 4.02Alpha1 release for Everdream

---
 CHANGELOG            | 28 ++++++++++++++
 Makefile.in          |  2 +-
 NmapOps.cc           | 16 +++-----
 configure            |  3 +-
 configure.ac         |  2 +-
 docs/nmap.1          | 46 +++++++++++-----------
 docs/nmap.usage.txt  | 12 +++---
 idle_scan.cc         |  4 ++
 nmap-os-fingerprints |  3 +-
 nmap.cc              | 11 ++++--
 nmap.h               |  1 -
 nmap_dns.cc          | 20 +++++-----
 nmap_winconfig.h     |  2 +-
 osscan.cc            |  3 ++
 output.cc            |  2 +-
 scan_engine.cc       | 11 ++++--
 service_scan.cc      |  8 ++--
 tcpip.cc             | 90 +++++++++++++++++++++++++-------------------
 utils.cc             | 16 ++++----
 19 files changed, 164 insertions(+), 116 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 92e8fc9dc..f5edc88c9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,4 +1,32 @@
 # Nmap Changelog ($Id$); -*-text-*-
+Nmap 4.02ALPHA1
+
+o Fixed a flaw in the scan engine which could (in rare cases)
+  lead to a deadlock situation that prevents a scan from completing.
+  Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reporting
+  and helping to debug the problem.
+
+o If the pcap_open_live() call (initiates sniffing) fails, Nmap now
+  tries up to two more times after waiting a little while. This is
+  attempt to work around a rare bug on Windows in which the
+  pcap_open_live() fails for unknown reasons.
+
+o Fixed a flaw in the runtime interaction in which Nmap would include
+  hosts currently being scanned in the number of hosts "completed"
+  statistic.
+
+o Fixed a crash in OS scan which could occur on Windows when a DHCP
+  lease issue causes the system to lose its IP address.  Nmap still
+  quits, but at least it gives a proper error message now.  Thanks to
+  Ganga Bhavani (GBhavani(a)everdreamcorp.com) for the patch.
+
+o Applied more than half a dozen small code cleanup patches from
+  Kris Katterjohn (kjak(a)ispwest.com).
+
+o Modified the configure script to accept CXX when specified as an
+  absolute path rather than just the executable name.  Thanks to
+  Daniel Roethlisberger (daniel(a)roe.ch) for this patch.
+
 Nmap 4.01
 
 o Fixed a bug that would cause bogus reverse-DNS resolution on
diff --git a/Makefile.in b/Makefile.in
index 83636970e..115af9c5a 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-export NMAP_VERSION = 4.01
+export NMAP_VERSION = 4.02Alpha1
 NMAP_NAME= Nmap
 NMAP_URL= http://www.insecure.org/nmap/
 NMAP_PLATFORM=@host@
diff --git a/NmapOps.cc b/NmapOps.cc
index c56df19e6..0ab43fdfd 100644
--- a/NmapOps.cc
+++ b/NmapOps.cc
@@ -177,17 +177,13 @@ void NmapOps::Initialize() {
   char tmpxsl[MAXPATHLEN];
 
   setaf(AF_INET);
-#ifndef WIN32
-# ifdef __amigaos__
-    isr00t = 1;
-# else
-    if (getenv("NMAP_PRIVILEGED"))
-      isr00t = 1;
-    else
-      isr00t = !(geteuid());
-# endif // __amigaos__
-#else
+#if defined WIN32 || defined __amigaos__
   isr00t = 1;
+#else
+  if (getenv("NMAP_PRIVILEGED"))
+    isr00t = 1;
+  else
+    isr00t = !(geteuid());
 #endif
   debugging = DEBUGGING;
   verbose = DEBUGGING;
diff --git a/configure b/configure
index ab18c0fb7..4a8d447f3 100755
--- a/configure
+++ b/configure
@@ -2649,7 +2649,8 @@ else
   ac_cv_prog_CXXPROG="$CXXPROG" # Let the user override the test.
 else
 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
+as_dummy=""$PATH":/"
+for as_dir in $as_dummy
 do
   IFS=$as_save_IFS
   test -z "$as_dir" && as_dir=.
diff --git a/configure.ac b/configure.ac
index bc933af66..f2814dfd3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,7 +42,7 @@ AC_PROG_CXX
  if test -n "$GXX"; then
       CXXFLAGS="$CXXFLAGS -Wall "
  fi
-AC_CHECK_PROG(CXXPROG, "$CXX", "AVAILABLE", "MISSING")
+AC_CHECK_PROG(CXXPROG, "$CXX", "AVAILABLE", "MISSING", "$PATH":/)
 if test $CXXPROG = "MISSING"; then
   AC_MSG_ERROR([Could not locate a C++ compiler. If it exists, add it to your PATH or give configure the CXX=path_to_compiler argument.  Otherwise, install a C++ compiler such as g++ or install a binary package of Nmap (see http://www.insecure.org/nmap/nmap_download.html ))])
 fi
diff --git a/docs/nmap.1 b/docs/nmap.1
index b1f9a50b6..6cb716443 100644
--- a/docs/nmap.1
+++ b/docs/nmap.1
@@ -2,7 +2,7 @@
 .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
 .\" Instead of manually editing it, you probably should edit the DocBook XML
 .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NMAP" "1" "02/16/2006" "" "Nmap Reference Guide"
+.TH "NMAP" "1" "03/02/2006" "" "Nmap Reference Guide"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -362,12 +362,12 @@ Tells Nmap to
 \fIalways\fR
 do reverse DNS resolution on the target IP addresses. Normally this is only performed when a machine is found to be alive.
 .TP
-\fB\-\-system_dns\fR (Use system DNS resolver)
+\fB\-\-system\-dns\fR (Use system DNS resolver)
 By default, Nmap resolves IP addresses by sending queries directly to the name servers configured on your host and then listening for responses. Many requests (often dozens) are performed in parallel for performance. Specify this option if you wish to use your system resolver instead (one IP at a time via the getnameinfo() call). This is slower and rarely useful unless there is a bug in the Nmap DNS code \-\- please contact us if that is the case. The system resolver is always used for IPv6 scans.
 .TP
-\fB\-\-dns_servers <server1[,server2],...> \fR (Servers to use for reverse DNS queries)
+\fB\-\-dns\-servers <server1[,server2],...> \fR (Servers to use for reverse DNS queries)
 Normally Nmap will try to determine the DNS servers from your resolv.conf file (UNIX) or the registry (Win32). Alternatively, you may use this option to specify your own servers. This option is not honored if you are using
-\fB\-\-system_dns\fR
+\fB\-\-system\-dns\fR
 or an IPv6 scan. Using multiple DNS servers is often faster than querying just one.
 .SH "PORT SCANNING BASICS"
 .PP
@@ -744,6 +744,16 @@ When Nmap is unable to detect a perfect OS match, it sometimes offers up near\-m
 One of my highest Nmap development priorities has always been performance. A default scan (\fBnmap \fR\fB\fIhostname\fR\fR) of a host on my local network takes a fifth of a second. That is barely enough time to blink, but adds up when you are scanning tens or hundreds of thousands of hosts. Moreover, certain scan options such as UDP scanning and version detection can increase scan times substantially. So can certain firewall configurations, particularly response rate limiting. While Nmap utilizes parallelism and many advanced algorithms to accelerate these scans, the user has ultimate control over how Nmap runs. Expert users carefully craft Nmap commands to obtain only the information they care about while meeting their time constraints.
 .PP
 Techniques for improving scan times include omitting non\-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). Optimizing timing parameters can also make a substantial difference. Those options are listed below.
+.PP
+Some options accept a
+time
+parameter. This is specified in milliseconds by default, though you can append \(oqs\(cq, \(oqm\(cq, or \(oqh\(cq to the value to specify seconds, minutes, or hours. So the
+\fB\-\-host\-timeout\fR
+arguments
+900000,
+900s, and
+15m
+all do the same thing.
 .TP
 \fB\-\-min\-hostgroup <numhosts>\fR; \fB\-\-max\-hostgroup <numhosts>\fR (Adjust parallel scan group sizes)
 Nmap has the ability to port scan or version scan multiple hosts in parallel. Nmap does this by dividing the target IP space into groups and then scanning one group at a time. In general, larger groups are more efficient. The downside is that host results can't be provided until the whole group is finished. So if Nmap started out with a group size of 50, the user would not receive any reports (except for the updates offered in verbose mode) until the first 50 hosts are completed.
@@ -770,14 +780,10 @@ option is sometimes set to one to prevent Nmap from sending more than one probe
 \fB\-\-scan\-delay\fR
 (discussed later), although the latter usually serves the purpose well enough by itself.
 .TP
-\fB\-\-min_rtt_timeout <time>\fR, \fB\-\-max\-rtt\-timeout <time>\fR, \fB\-\-initial\-rtt\-timeout <time>\fR (Adjust probe timeouts)
+\fB\-\-min\-rtt\-timeout <time>\fR, \fB\-\-max\-rtt\-timeout <time>\fR, \fB\-\-initial\-rtt\-timeout <time>\fR (Adjust probe timeouts)
 Nmap maintains a running timeout value for determining how long it will wait for a probe response before giving up or retransmitting the probe. This is calculated based on the response times of previous probes. If the network latency shows itself to be significant and variable, this timeout can grow to several seconds. It also starts at a conservative (high) level and may stay that way for a while when Nmap scans unresponsive hosts.
 .sp
-These options take a value in milliseconds, or you can append
-s,
-m, or
-h
-to the argument to specify a time in seconds, minutes, or hours. Specifying a lower
+Specifying a lower
 \fB\-\-max\-rtt\-timeout\fR
 and
 \fB\-\-initial\-rtt\-timeout\fR
@@ -790,7 +796,7 @@ value. If routing is involved, ping a host on the network first with the ICMP pi
 and triple or quadruple it for the
 \fB\-\-max\-rtt\-timeout\fR. I generally do not set the maximum rtt below 100ms, no matter what the ping times are. Nor do I exceed 1000ms.
 .sp
-\fB\-\-min_rtt_timeout\fR
+\fB\-\-min\-rtt\-timeout\fR
 is a rarely used option that could be useful when a network is so unreliable that even Nmap's default is too aggressive. Since Nmap only reduces the timeout down to the minimum when the network seems to be reliable, this need is unusual and should be reported as a bug to the nmap\-dev mailing list.
 .TP
 \fB\-\-max\-retries <numtries>\fR (Specify the maximum number of port scan probe retransmissions)
@@ -809,22 +815,14 @@ expire and losing all information about the target.
 \fB\-\-host\-timeout <time>\fR (Give up on slow target hosts)
 Some hosts simply take a
 \fIlong\fR
-time to scan. This may be due to poorly performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time. Sometimes it is best to cut your losses and skip those hosts initially. This can be done by specifying
+time to scan. This may be due to poorly performing or unreliable networking hardware or software, packet rate limiting, or a restrictive firewall. The slowest few percent of the scanned hosts can eat up a majority of the scan time. Sometimes it is best to cut your losses and skip those hosts initially. Specify
 \fB\-\-host\-timeout\fR
-with the number of milliseconds you are willing to wait. Alternatively, you can append
-s,
-m, or
-h
-to the argument to specify a timeout in seconds, minutes, or hours. I often specify
+with the maximum amoung of time you are willing to wait. I often specify
 30m
 to ensure that Nmap doesn't waste more than half an hour on a single host. Note that Nmap may be scanning other hosts at the same time during that half an hour as well, so it isn't a complete loss. A host that times out is skipped. No port table, OS detection, or version detection results are printed for that host.
 .TP
 \fB\-\-scan\-delay <time>\fR; \fB\-\-max_scan\-delay <time>\fR (Adjust delay between probes)
-This option causes Nmap to wait at least the given number of milliseconds between each probe it sends to a given host. As with many other timing options, you can append
-s,
-m, or
-h
-to the argument to specify a delay in seconds, minutes, or hours instead. This is particularly useful in the case of rate limiting. Solaris machines (among many others) will usually respond to UDP scan probe packets with only one ICMP message per second. Any more than that sent by Nmap will be wasteful. A
+This option causes Nmap to wait at least the given amount of time between each probe it sends to a given host. This is particularly useful in the case of rate limiting. Solaris machines (among many others) will usually respond to UDP scan probe packets with only one ICMP message per second. Any more than that sent by Nmap will be wasteful. A
 \fB\-\-scan\-delay\fR
 of
 1s
@@ -887,7 +885,7 @@ does the equivalent of
 and sets the maximum TCP scan delay to 10 milliseconds.
 \fBT5\fR
 does the equivalent of
-\fB\-\-max\-rtt\-timeout 300 \-\-min_rtt_timeout 50 \-\-initial\-rtt\-timeout 250 \-\-max\-retries 2 \-\-host\-timeout 900000\fR
+\fB\-\-max\-rtt\-timeout 300 \-\-min\-rtt\-timeout 50 \-\-initial\-rtt\-timeout 250 \-\-max\-retries 2 \-\-host\-timeout 15m\fR
 as well as setting the maximum TCP scan delay to 5ms.
 .SH "FIREWALL/IDS EVASION AND SPOOFING"
 .PP
@@ -1251,7 +1249,7 @@ During the execution of nmap, all key presses are captured. This allows you to i
 \fIlowercase letters increase\fR
 the amount of printing, and
 \fIuppercase letters decrease\fR
-the printing. You may also press \(oq\fI?\fR\(cq for
+the printing. You may also press \(oq\fI?\fR\(cq for help.
 .TP
 \fBv\fR / \fBV\fR
 Increase / Decrease the Verbosity
diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt
index aa324a8f5..e59ce15f1 100644
--- a/docs/nmap.usage.txt
+++ b/docs/nmap.usage.txt
@@ -1,4 +1,4 @@
-Nmap 4.01 ( http://www.insecure.org/nmap/ )
+Nmap 4.02Alpha1 ( http://www.insecure.org/nmap/ )
 Usage: nmap [Scan Type(s)] [Options] {target specification}
 TARGET SPECIFICATION:
   Can pass hostnames, IP addresses, networks, etc.
@@ -39,14 +39,16 @@ OS DETECTION:
   --osscan-limit: Limit OS detection to promising targets
   --osscan-guess: Guess OS more aggressively
 TIMING AND PERFORMANCE:
+  Options which take <time> are in milliseconds, unless you append 's'
+  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
   -T[0-5]: Set timing template (higher is faster)
   --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
-  --min-parallelism/max-parallelism <msec>: Probe parallelization
-  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec>: Specifies
+  --min-parallelism/max-parallelism <time>: Probe parallelization
+  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
       probe round trip time.
   --max-retries <tries>: Caps number of port scan probe retransmissions.
-  --host-timeout <msec>: Give up on target after this long
-  --scan-delay/--max-scan-delay <msec>: Adjust delay between probes
+  --host-timeout <time>: Give up on target after this long
+  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
 FIREWALL/IDS EVASION AND SPOOFING:
   -f; --mtu <val>: fragment packets (optionally w/given MTU)
   -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
diff --git a/idle_scan.cc b/idle_scan.cc
index 458078cca..a5c09a1bd 100644
--- a/idle_scan.cc
+++ b/idle_scan.cc
@@ -372,6 +372,8 @@ void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
     memcpy(proxy->eth.srcmac, proxy->host.SrcMACAddress(), 6);
     memcpy(proxy->eth.dstmac, proxy->host.NextHopMACAddress(), 6);
     proxy->eth.ethsd = eth_open(proxy->host.deviceName());
+    if (proxy->eth.ethsd == NULL)
+      fatal("%s: Failed to open ethernet device (%s)", __FUNCTION__, proxy->host.deviceName());
     proxy->rawsd = -1;
     proxy->ethptr = &proxy->eth;
   } else {
@@ -665,6 +667,8 @@ int idlescan_countopen2(struct idle_proxy_info *proxy,
     memcpy(eth.srcmac, target->SrcMACAddress(), 6);
     memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
     eth.ethsd = eth_open(target->deviceName());
+    if (eth.ethsd == NULL)
+      fatal("%s: Failed to open ethernet device (%s)", __FUNCTION__, target->deviceName());
   } else eth.ethsd = NULL;
 
   /* I start by sending out the SYN pr0bez */
diff --git a/nmap-os-fingerprints b/nmap-os-fingerprints
index a012dcf52..d17012961 100644
--- a/nmap-os-fingerprints
+++ b/nmap-os-fingerprints
@@ -16065,7 +16065,8 @@ PU(Resp=N)
 # Motorola Surfboard Cable modem Software Version: SB5100-2.3.1.3-SCM00-NOSHHardware Version: 3MIB+Version: IIGUI Version: 1.0VxWorks Version: 5.4
 # Motorola Cable Modem SB5100E SW_REV: SB5100E-2.3.1.3-SCM01-NOSH
 # Motorola SB5100 Surfboard 5100 Cable Modem vSB5100-2.3.1.6-SCM01-NOSH
-Fingerprint Motorola Cable Modem SB5100/CG4500E or Thomson Cable Modem TCM390
+# Thomson Cable Modem TCM410
+Fingerprint Motorola (SB5100/CG4500E) or Thomson (TCM390/TCM410) Cable Modem
 Class Motorola | VxWorks || broadband router
 TSeq(Class=64K%IPID=I%TS=U)
 T1(DF=N%W=2000%ACK=S++%Flags=AS%Ops=MNW)
diff --git a/nmap.cc b/nmap.cc
index dc939bc23..d2912ed95 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -1313,6 +1313,7 @@ int nmap_main(int argc, char *argv[]) {
       delete currenths;
       Targets.pop_back();
     }
+    o.numhosts_scanning = 0;
   } while(!o.max_ips_to_scan || o.max_ips_to_scan > o.numhosts_scanned);
   
   delete hstate;
@@ -1671,14 +1672,16 @@ printf("%s %s ( %s )\n"
        "  --osscan-limit: Limit OS detection to promising targets\n"
        "  --osscan-guess: Guess OS more aggressively\n"
        "TIMING AND PERFORMANCE:\n"
+       "  Options which take <time> are in milliseconds, unless you append 's'\n"
+       "  (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).\n"
        "  -T[0-5]: Set timing template (higher is faster)\n"
        "  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes\n"
-       "  --min-parallelism/max-parallelism <msec>: Probe parallelization\n"
-       "  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <msec>: Specifies\n"
+       "  --min-parallelism/max-parallelism <time>: Probe parallelization\n"
+       "  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies\n"
        "      probe round trip time.\n"
        "  --max-retries <tries>: Caps number of port scan probe retransmissions.\n"
-       "  --host-timeout <msec>: Give up on target after this long\n"
-       "  --scan-delay/--max-scan-delay <msec>: Adjust delay between probes\n"
+       "  --host-timeout <time>: Give up on target after this long\n"
+       "  --scan-delay/--max-scan-delay <time>: Adjust delay between probes\n"
        "FIREWALL/IDS EVASION AND SPOOFING:\n"
        "  -f; --mtu <val>: fragment packets (optionally w/given MTU)\n"
        "  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys\n"
diff --git a/nmap.h b/nmap.h
index 8d3043cdc..e4b8025d6 100644
--- a/nmap.h
+++ b/nmap.h
@@ -454,7 +454,6 @@ int listen_icmp(int icmpsock, unsigned short outports[],
 int nmap_main(int argc, char *argv[]);
 
 /* general helper functions */
-void *safe_malloc(int size);
 char *grab_next_host_spec(FILE *inputfd, int argc, char **fakeargv);
 int parse_targets(struct targets *targets, char *h);
 char *statenum2str(int state);
diff --git a/nmap_dns.cc b/nmap_dns.cc
index f44df40ac..c76902897 100644
--- a/nmap_dns.cc
+++ b/nmap_dns.cc
@@ -431,7 +431,7 @@ int encoded_name_to_normal(unsigned char *buf, char *output, int outputsize){
 
 // Takes a pointer to the start of a DNS name inside a packet. It makes
 // sure that there is enough space in the name, deals with compression, etc.
-int advance_past_dns_name(unsigned char *buf, int buflen, int curbuf, 
+int advance_past_dns_name(u8 *buf, int buflen, int curbuf, 
 			  int *nameloc) {
   int compression=0;
 
@@ -443,7 +443,7 @@ int advance_past_dns_name(unsigned char *buf, int buflen, int curbuf,
 
     // Compression is OK
     compression = curbuf+2;
-    curbuf = ((buf[curbuf+1] & 0xFF) + ((buf[curbuf] & 0xFF) << 8)) & 0x3FFF;
+    curbuf = (buf[curbuf+1] + (buf[curbuf] << 8)) & 0x3FFF;
     if (curbuf < 0 || curbuf >= buflen) return -1;
   }
 
@@ -462,7 +462,7 @@ int advance_past_dns_name(unsigned char *buf, int buflen, int curbuf,
 // Nsock read handler. One nsock read for each DNS server exists at each
 // time. This function uses various helper functions as defined above.
 void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
-  unsigned char *buf;
+  u8 *buf;
   int buflen, curbuf=0;
   int i, nameloc, rdlen, atype, aclass;
   int errcode=0;
@@ -485,7 +485,7 @@ void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
   // Size of header is 12, and we must have additional data as well
   if (buflen <= 12) return;
 
-  packet_id = (buf[1] & 0xFF) + ((buf[0] & 0xFF) << 8);
+  packet_id = buf[1] + (buf[0] << 8);
 
   // Check that this is a response, standard query, and that no truncation was performed
   // 0xFA == 11111010 (we're not concerned with AA or RD bits)
@@ -493,14 +493,14 @@ void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
 
   // Check that Recursion is available, the zero field is all zeros
   // and there is no error condition:
-  if ((buf[3] & 0xFF) != 0x80) {
+  if (buf[3] != 0x80) {
     if ((buf[3] & 0xF) == 2) errcode = 2;
     else if ((buf[3] & 0xF) == 3) errcode = 3;
     else return;
   }
 
-  queries = (buf[5] & 0xFF) + ((buf[4] & 0xFF) << 8);
-  answers = (buf[7] & 0xFF) + ((buf[6] & 0xFF) << 8);
+  queries = buf[5] + (buf[4] << 8);
+  answers = buf[7] + (buf[6] << 8);
 
   // With a normal resolution, we should have 1+ queries and 1+ answers.
   // If the domain doesn't resolve (NXDOMAIN or SERVFAIL) we should have
@@ -549,9 +549,9 @@ void read_evt_handler(nsock_pool nsp, nsock_event evt, void *nothing) {
     // RDLENGTH (2) fields
     if (curbuf + 10 >= buflen) return;
 
-    atype = (buf[curbuf+1] & 0xFF) + ((buf[curbuf+0] & 0xFF) << 8);
-    aclass = (buf[curbuf+3] & 0xFF) + ((buf[curbuf+2] & 0xFF) << 8);
-    rdlen = (buf[curbuf+9] & 0xFF) + ((buf[curbuf+8] & 0xFF) << 8);
+    atype = buf[curbuf+1] + (buf[curbuf+0] << 8);
+    aclass = buf[curbuf+3] + (buf[curbuf+2] << 8);
+    rdlen = buf[curbuf+9] + (buf[curbuf+8] << 8);
     curbuf += 10;
 
     if (atype == 12 && aclass == 1) {
diff --git a/nmap_winconfig.h b/nmap_winconfig.h
index fe7a1ea6e..a9258b848 100644
--- a/nmap_winconfig.h
+++ b/nmap_winconfig.h
@@ -104,7 +104,7 @@
 #ifndef NMAP_WINCONFIG_H
 #define NMAP_WINCONFIG_H
 
-#define NMAP_VERSION "4.01"
+#define NMAP_VERSION "4.02Alpha1"
 #define NMAP_NAME "Nmap"
 #define NMAP_URL "http://www.insecure.org/nmap"
 #define NMAP_PLATFORM "i686-pc-windows-windows"
diff --git a/osscan.cc b/osscan.cc
index 07b0de008..e4831814f 100644
--- a/osscan.cc
+++ b/osscan.cc
@@ -291,6 +291,9 @@ get_random_bytes(&sequence_base, sizeof(unsigned int));
    memcpy(eth.srcmac, target->SrcMACAddress(), 6);
    memcpy(eth.dstmac, target->NextHopMACAddress(), 6);
    eth.ethsd = eth_open(target->deviceName());
+   if (eth.ethsd == NULL)
+     fatal("%s: Failed to open ethernet device (%s)", __FUNCTION__, target->deviceName());
+
    rawsd = -1;
    ethptr = &eth;
   } else {
diff --git a/output.cc b/output.cc
index c30e62776..2b0415b5d 100644
--- a/output.cc
+++ b/output.cc
@@ -1394,7 +1394,7 @@ void printStatusMessage() {
   
   log_write(LOG_STDOUT, 
 	    "Stats: %d:%02d:%02d elapsed; %d hosts completed (%d up), %d undergoing %s\n", 
-	    time/60/24, time/60 % 24, time % 60, o.numhosts_scanned, 
+	    time/60/24, time/60 % 24, time % 60, o.numhosts_scanned - o.numhosts_scanning, 
 	    o.numhosts_up, o.numhosts_scanning, scantype2str(o.scantype));
 }
 
diff --git a/scan_engine.cc b/scan_engine.cc
index 546cb5835..5a5f67eb1 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -807,6 +807,7 @@ GroupScanStats::~GroupScanStats() {
 
   /* Returns true if the GLOBAL system says that sending is OK.*/
 bool GroupScanStats::sendOK() {
+  int recentsends;
 
   if (USI->scantype == CONNECT_SCAN && CSI->numSDs >= CSI->maxSocketsAllowed)
     return false;
@@ -815,7 +816,9 @@ bool GroupScanStats::sendOK() {
      the last listen call, at least for systems such as Windoze that
      don't give us a proper pcap time.  Also for connect scans, since
      we don't get an exact response time with them either. */
-  if (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid()) {
+  recentsends = USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait;
+  if (recentsends > 0 && 
+      (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid())) {
     int to_ms = (int) MAX(to.srtt * .75 / 1000, 50);
     if (TIMEVAL_MSEC_SUBTRACT(USI->now, last_wait) > to_ms)
       return false;
@@ -828,7 +831,7 @@ bool GroupScanStats::sendOK() {
      responses when I scan localhost.  And half of those are the @#$#
      sends being received.  I think I'll put a limit of 50 sends per
      wait */
-  if (USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait >= 50)
+  if (recentsends >= 50)
     return false;
 
   /* When there is only one target left, let the host congestion
@@ -969,7 +972,7 @@ bool HostScanStats::sendOK(struct timeval *when) {
 
   getTiming(&tmng);
   if (tmng.cwnd >= num_probes_active + .5 && 
-      (freshPortsLeft() || num_probes_waiting_retransmit)) {
+      (freshPortsLeft() || num_probes_waiting_retransmit || !retry_stack.empty())) {
     if (when) *when = USI->now;
     return true;
   }
@@ -3293,7 +3296,7 @@ void processData(UltraScanInfo *USI) {
 	  if (tryno_capped && lastRetryCappedWarning != USI) {
 	    /* Perhaps I should give this on a per-host basis.  Oh
 	       well, hopefully it is rare anyway. */
-	    printf("Warning: Finishing early because retransmission cap hit.\n");
+	    printf("Warning: Giving up on port early because retransmission cap hit.\n");
 	    lastRetryCappedWarning = USI;
 	  }
 	  continue;
diff --git a/service_scan.cc b/service_scan.cc
index 7acf32a28..22b2af664 100644
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -1785,10 +1785,7 @@ static int scanThroughTunnel(nsock_pool nsp, nsock_iod nsi, ServiceGroup *SG,
     return 0;
   }
 
-#ifndef HAVE_OPENSSL
-  return 0;
-#endif
-
+#ifdef HAVE_OPENSSL
   if (svc->tunnel != SERVICE_TUNNEL_NONE) {
     // Another tunnel type has already been tried.  Let's not go recursive.
     return 0;
@@ -1808,6 +1805,9 @@ static int scanThroughTunnel(nsock_pool nsp, nsock_iod nsi, ServiceGroup *SG,
    svc->resetProbes(true);
   startNextProbe(nsp, nsi, SG, svc, true);
   return 1;
+#else
+  return 0;
+#endif
 }
 
 /* Prints completion estimates and the like when appropriate */
diff --git a/tcpip.cc b/tcpip.cc
index 900e5e24b..3a5c2d7a2 100644
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -527,40 +527,42 @@ const char *ippackethdrinfo(const u8 *packet, u32 len) {
     case 0:
       strcpy(icmptype, "Echo reply"); break;
     case 3:
-      if (ping->code == 0)
-	strcpy(icmptype, "network unreachable");
-      else if (ping->code == 1)
-	strcpy(icmptype, "host unreachable");
-      else if (ping->code == 2)
-	strcpy(icmptype, "protocol unreachable");
-      else if (ping->code == 3)
-	strcpy(icmptype, "port unreachable");
-      else if (ping->code == 4)
-	strcpy(icmptype, "fragmentation required");
-      else if (ping->code == 5)
-	strcpy(icmptype, "source route failed");
-      else if (ping->code == 6)
-	strcpy(icmptype, "destination network unknown");
-      else if (ping->code == 7)
-	strcpy(icmptype, "destination host unknown");
-      else if (ping->code == 8)
-	strcpy(icmptype, "source host isolated");
-      else if (ping->code == 9)
-	strcpy(icmptype, "destination network administratively prohibited");
-      else if (ping->code == 10)
-	strcpy(icmptype, "destination host administratively prohibited");
-      else if (ping->code == 11)
-	strcpy(icmptype, "network unreachable for TOS");
-      else if (ping->code == 12)
-	strcpy(icmptype, "host unreachable for TOS");
-      else if (ping->code == 13)
-	strcpy(icmptype, "communication administratively prohibited by filtering");
-      else if (ping->code == 14)
-	strcpy(icmptype, "host precedence violation");
-      else if (ping->code == 15)
-	strcpy(icmptype, "precedence cutoff in effect");
-      else
-	strcpy(icmptype, "unknown unreachable code");
+      switch (ping->code) {
+      case 0:
+	strcpy(icmptype, "network unreachable"); break;
+      case 1:
+	strcpy(icmptype, "host unreachable"); break;
+      case 2:
+	strcpy(icmptype, "protocol unreachable"); break;
+      case 3:
+	strcpy(icmptype, "port unreachable"); break;
+      case 4:
+	strcpy(icmptype, "fragmentation required"); break;
+      case 5:
+	strcpy(icmptype, "source route failed"); break;
+      case 6:
+	strcpy(icmptype, "destination network unknown"); break;
+      case 7:
+	strcpy(icmptype, "destination host unknown"); break;
+      case 8:
+	strcpy(icmptype, "source host isolated"); break;
+      case 9:
+	strcpy(icmptype, "destination network administratively prohibited"); break;
+      case 10:
+	strcpy(icmptype, "destination host administratively prohibited"); break;
+      case 11:
+	strcpy(icmptype, "network unreachable for TOS"); break;
+      case 12:
+	strcpy(icmptype, "host unreachable for TOS"); break;
+      case 13:
+	strcpy(icmptype, "communication administratively prohibited by filtering"); break;
+      case 14:
+	strcpy(icmptype, "host precedence violation"); break;
+      case 15:
+	strcpy(icmptype, "precedence cutoff in effect"); break;
+      default:
+	strcpy(icmptype, "unknown unreachable code"); break;
+      }
       break;
     case 4:
       strcpy(icmptype, "source quench"); break;
@@ -696,6 +698,7 @@ pcap_t *my_pcap_open_live(const char *device, int snaplen, int promisc,
   char err0r[PCAP_ERRBUF_SIZE];
   pcap_t *pt;
   char pcapdev[128];
+  int failed = 0;
 #ifdef WIN32
 /* Nmap normally uses device names obtained through dnet for interfaces, but Pcap has its own
 naming system.  So the conversion is done here */
@@ -706,12 +709,21 @@ naming system.  So the conversion is done here */
 #else
   Strncpy(pcapdev, device, sizeof(pcapdev));
 #endif
-  if (!((pt = pcap_open_live(pcapdev, snaplen, promisc, to_ms, err0r)))) {
-    fatal("pcap_open_live: %s\nThere are several possible reasons for this, depending on your operating system:\n"
+  do {
+    pt = pcap_open_live(pcapdev, snaplen, promisc, to_ms, err0r);
+    if (!pt) {
+      failed++;
+      if (failed >= 3) {
+fatal("Call to pcap_open_live(%s, %d, %d, %d) failed three times. Reported error: %s\nThere are several possible reasons for this, depending on your operating system:\n"
           "LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.\n"
           "*BSD:  If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support.  If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod).\n"
-          "SOLARIS:  If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun.  I don't think Solaris can support advanced localhost scans.  You can probably use \"-P0 -sT localhost\" though.\n\n", err0r);
-  }
+          "SOLARIS:  If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun.  I don't think Solaris can support advanced localhost scans.  You can probably use \"-P0 -sT localhost\" though.\n\n", pcapdev, snaplen, promisc, to_ms, err0r);
+      } else {
+	error("pcap_open_live(%s, %d, %d, %d) FAILLED. Reported error: %s.  Will wait %d seconds then retry.", pcapdev, snaplen, promisc, to_ms, err0r, (int) pow(5, failed));	
+      }
+      sleep((int) pow(5, failed));
+    }
+  } while (!pt);
 
 #ifdef WIN32
   /* We want any responses back ASAP */
@@ -2728,7 +2740,7 @@ int block_socket(int sd) {
 #ifdef WIN32
   unsigned long options=0;
   if(sd == 501) return 1;
-  ioctlsocket(sd, FIONBIO, (unsigned long *)&options);
+  ioctlsocket(sd, FIONBIO, &options);
 #else
   int options;
   options = (~O_NONBLOCK) & fcntl(sd, F_GETFL);
diff --git a/utils.cc b/utils.cc
index 6547c1ba5..fdc7d7e98 100644
--- a/utils.cc
+++ b/utils.cc
@@ -197,15 +197,13 @@ char *strerror(int errnum) {
 /* Like the perl equivialent -- It removes the terminating newline from string
    IF one exists.  It then returns the POSSIBLY MODIFIED string */
 char *chomp(char *string) {
-  int len;
-  len = strlen(string);
-  if (len < 1)
-    return string;
-  if (string[len - 1] != '\n')
-    return string;  
-  if (len > 1 && string[len-2] == '\r') {
-    string[len-2] = '\0';
-  } else string[len-1] = '\0';
+  int len = strlen(string);
+  if (len && string[len - 1] == '\n') {
+    if (len > 1 && string[len - 2] == '\r')
+      string[len - 2] = '\0';
+    else
+      string[len - 1] = '\0';
+  }
   return string;
 }