From af8f151972155d12383f0778e03b5b8be84fda64 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 4 Nov 2009 21:33:53 +0000
Subject: [PATCH] Move the IP ID test after the tests for source ports, etc.,
 because every false attempt degrades the IP ID filter. We only want to to
 call it when we're pretty sure we have a match.

---
 scan_engine.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/scan_engine.cc b/scan_engine.cc
index 9999b64f7..ca9e4be3e 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -4248,10 +4248,6 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
 	    hss->target->v4hostip()->s_addr != ip2->ip_dst.s_addr)
 	  continue;
 
-	/* Checking IPID is a little more complex because you can't always count on it */
-	if (!allow_ipid_match(probe->ipid(), ntohs(ip2->ip_id)))
-	  continue;
-
 	if (ip2->ip_p == IPPROTO_TCP && !USI->prot_scan) {
 	  struct tcp_hdr *tcp = (struct tcp_hdr *) ((u8 *) ip2 + ip2->ip_hl * 4);
 	  if (ntohs(tcp->th_sport) != probe->sport() || 
@@ -4273,6 +4269,10 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
 	  assert(0);
 	} 
 
+	/* Checking IPID is a little more complex because you can't always count on it */
+	if (!allow_ipid_match(probe->ipid(), ntohs(ip2->ip_id)))
+	  continue;
+
 	if (icmp->icmp_type == 3) {
 	  switch(icmp->icmp_code) {
 	  case 0: /* Network unreachable */