diff --git a/osscan.cc b/osscan.cc
index 75a5547c9..1d8dd13be 100644
--- a/osscan.cc
+++ b/osscan.cc
@@ -490,7 +490,8 @@ static FingerPrint *get_fingerprint(Target *target, struct seq_info *si) {
   unsigned int sequence_base;
   unsigned long openport;
   unsigned int bytes;
-  unsigned int closedport = 31337;
+  unsigned int closedtcpport = 31337;
+  unsigned int closedudpport = 31337;
   Port *tport = NULL;
   char filter[512];
   double seq_inc_sum = 0;
@@ -572,30 +573,52 @@ static FingerPrint *get_fingerprint(Target *target, struct seq_info *si) {
     target->FPR1->osscan_opentcpport = tport->portno;
   }
  
-  /* Now we should find a closed port */
+  /* Now we should find a closed TCP port */
   if ((tport = target->ports.nextPort(NULL, IPPROTO_TCP, PORT_CLOSED))) {
-    closedport = tport->portno;
+    closedtcpport = tport->portno;
 
-    /* Port 0 seems to screw things up, so try to get another if available */
+    /* We'd prefer something non-zero */
     if (tport->portno == 0)
       if ((tport = target->ports.nextPort(tport, IPPROTO_TCP, PORT_CLOSED)))
-        closedport = tport->portno;
+        closedtcpport = tport->portno;
 
-    target->FPR1->osscan_closedtcpport = closedport;
+    target->FPR1->osscan_closedtcpport = closedtcpport;
   } else if ((tport = target->ports.nextPort(NULL, IPPROTO_TCP, PORT_UNFILTERED))) {
     /* Well, we will settle for unfiltered */
-    closedport = tport->portno;
+    closedtcpport = tport->portno;
+
+    /* We'd prefer something non-zero */
+    if (tport->portno == 0)
+      if ((tport = target->ports.nextPort(tport, IPPROTO_TCP, PORT_CLOSED)))
+        closedtcpport = tport->portno;
+  } else {
+    closedtcpport = (get_random_uint() % 14781) + 30000;
+  }
+
+  /* Now we should find a closed UDP port */
+  if ((tport = target->ports.nextPort(NULL, IPPROTO_UDP, PORT_CLOSED))) {
+    closedudpport = tport->portno;
 
     /* Port 0 seems to screw things up, so try to get another if available */
     if (tport->portno == 0)
-      if ((tport = target->ports.nextPort(tport, IPPROTO_TCP, PORT_CLOSED)))
-        closedport = tport->portno;
+      if ((tport = target->ports.nextPort(tport, IPPROTO_UDP, PORT_CLOSED)))
+        closedudpport = tport->portno;
+
+    target->FPR1->osscan_closedudpport = closedudpport;
+  } else if ((tport = target->ports.nextPort(NULL, IPPROTO_UDP, PORT_UNFILTERED))) {
+    /* Well, we will settle for unfiltered */
+    closedudpport = tport->portno;
+
+    /* Port 0 seems to screw things up, so try to get another if available */
+    if (tport->portno == 0)
+      if ((tport = target->ports.nextPort(tport, IPPROTO_UDP, PORT_CLOSED)))
+        closedudpport = tport->portno;
   } else {
-    closedport = (get_random_uint() % 14781) + 30000;
+    closedudpport = (get_random_uint() % 14781) + 30000;
   }
 
   if (o.verbose && openport != (unsigned long) -1)
-    log_write(LOG_STDOUT, "For OSScan assuming port %lu is open, %d is closed, and neither are firewalled\n", openport, closedport);
+    log_write(LOG_STDOUT, "For OSScan assuming port %lu is open, tcp/%d and udp/%d are closed, and neither are firewalled\n", openport, closedtcpport, closedudpport);
 
   current_port = o.magic_port + NUM_SEQ_SAMPLES +1;
  
@@ -643,7 +666,7 @@ static FingerPrint *get_fingerprint(Target *target, struct seq_info *si) {
     if (!FPtests[5]) {   
       if (o.scan_delay) enforce_scan_delay(NULL);
      send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, false, NULL, 0,
-			 current_port +4, closedport, sequence_base, 0, 0,
+			 current_port +4, closedtcpport, sequence_base, 0, 0,
 			 TH_SYN, 0, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
     }
 
@@ -651,7 +674,7 @@ static FingerPrint *get_fingerprint(Target *target, struct seq_info *si) {
     if (!FPtests[6]) {   
       if (o.scan_delay) enforce_scan_delay(NULL);
      send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, false, NULL, 0,
-			 current_port +5, closedport, sequence_base, 0, 0,
+			 current_port +5, closedtcpport, sequence_base, 0, 0,
 			 TH_ACK, 0, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
     }
 
@@ -659,14 +682,14 @@ static FingerPrint *get_fingerprint(Target *target, struct seq_info *si) {
     if (!FPtests[7]) {
       if (o.scan_delay) enforce_scan_delay(NULL);   
      send_tcp_raw_decoys(rawsd, ethptr, target->v4hostip(), o.ttl, false, NULL, 0,
-			 current_port +6, closedport, sequence_base, 0, 0,
+			 current_port +6, closedtcpport, sequence_base, 0, 0,
 			 TH_FIN|TH_PUSH|TH_URG, 0, 0, (u8 *) "\003\003\012\001\002\004\001\011\010\012\077\077\077\077\000\000\000\000\000\000" , 20, NULL, 0);
     }
 
     /* Test 8 */
     if (!FPtests[8]) {
       if (o.scan_delay) enforce_scan_delay(NULL);
-      upi = send_closedudp_probe(rawsd, ethptr, target->v4hostip(), o.magic_port, closedport);
+      upi = send_closedudp_probe(rawsd, ethptr, target->v4hostip(), o.magic_port, closedudpport);
     }
     gettimeofday(&t1, NULL);
     timeout = 0;
diff --git a/scan_engine.cc b/scan_engine.cc
index 3fb2b16b9..a7c5b12bd 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -1985,7 +1985,7 @@ static UltraProbe *sendConnectScanProbe(UltraScanInfo *USI, HostScanStats *hss,
   CP = probe->CP();
   /* Initiate the connection */
   CP->sd = socket(o.af(), SOCK_STREAM, IPPROTO_TCP);
-  if (CP->sd == 1) pfatal("Socket creation in sendConnectScanProbe");
+  if (CP->sd == -1) pfatal("Socket creation in sendConnectScanProbe");
   unblock_socket(CP->sd);
   init_socket(CP->sd);
   if (hss->target->TargetSockAddr(&sock, &socklen) != 0) {
diff --git a/tcpip.cc b/tcpip.cc
index 489436fd7..f8fef5e9d 100644
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -535,6 +535,8 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) {
       snprintf(protoinfo, sizeof(protoinfo), "ICMP %s > %s fragment %s (incomplete)", srchost, dsthost, ipinfo);
   } else if (ip->ip_p == IPPROTO_ICMP) {
     char icmptype[128];
+    char *ip2dst;
+    struct ip *ip2;
     struct ppkt {
       unsigned char type;
       unsigned char code;
@@ -547,41 +549,67 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) {
     case 0:
       strcpy(icmptype, "Echo reply"); break;
     case 3:
+      ip2 = (struct ip *) ((char *) ip + (ip->ip_hl * 4) + 8);
+      tcp = (struct tcp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
+      udp = (struct udp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
+      ip2dst = inet_ntoa(ip2->ip_dst);
       switch (ping->code) {
       case 0:
-	strcpy(icmptype, "network unreachable"); break;
+	snprintf(icmptype, sizeof icmptype, "network %s unreachable", ip2dst);
+	break;
       case 1:
-	strcpy(icmptype, "host unreachable"); break;
+	snprintf(icmptype, sizeof icmptype, "host %s unreachable", ip2dst);
+	break;
       case 2:
-	strcpy(icmptype, "protocol unreachable"); break;
+	snprintf(icmptype, sizeof icmptype, "protocol %u unreachable", ip2->ip_p);
+	break;
       case 3:
-	strcpy(icmptype, "port unreachable"); break;
+	if (ip2->ip_p == IPPROTO_UDP)
+	  snprintf(icmptype, sizeof icmptype, "port %u unreachable", ntohs(udp->uh_dport));
+	else if (ip2->ip_p == IPPROTO_TCP)
+	  snprintf(icmptype, sizeof icmptype, "port %u unreachable", ntohs(tcp->th_dport));
+	else
+	  strcpy(icmptype, "port unreachable");
+	break;
       case 4:
-	strcpy(icmptype, "fragmentation required"); break;
+	strcpy(icmptype, "fragmentation required");
+	break;
       case 5:
-	strcpy(icmptype, "source route failed"); break;
+	strcpy(icmptype, "source route failed");
+	break;
       case 6:
-	strcpy(icmptype, "destination network unknown"); break;
+	snprintf(icmptype, sizeof icmptype, "destination network %s unknown", ip2dst);
+	break;
       case 7:
-	strcpy(icmptype, "destination host unknown"); break;
+	snprintf(icmptype, sizeof icmptype, "destination host %s unknown", ip2dst);
+	break;
       case 8:
-	strcpy(icmptype, "source host isolated"); break;
+	strcpy(icmptype, "source host isolated");
+	break;
       case 9:
-	strcpy(icmptype, "destination network administratively prohibited"); break;
+	snprintf(icmptype, sizeof icmptype, "destination network %s administratively prohibited", ip2dst);
+	break;
       case 10:
-	strcpy(icmptype, "destination host administratively prohibited"); break;
+	snprintf(icmptype, sizeof icmptype, "destination host %s administratively prohibited", ip2dst);
+	break;
       case 11:
-	strcpy(icmptype, "network unreachable for TOS"); break;
+	snprintf(icmptype, sizeof icmptype, "network %s unreachable for TOS", ip2dst);
+	break;
       case 12:
-	strcpy(icmptype, "host unreachable for TOS"); break;
+	snprintf(icmptype, sizeof icmptype, "host %s unreachable for TOS", ip2dst);
+	break;
       case 13:
-	strcpy(icmptype, "communication administratively prohibited by filtering"); break;
+	strcpy(icmptype, "communication administratively prohibited by filtering");
+	break;
       case 14:
-	strcpy(icmptype, "host precedence violation"); break;
+	strcpy(icmptype, "host precedence violation");
+	break;
       case 15:
-	strcpy(icmptype, "precedence cutoff in effect"); break;
+	strcpy(icmptype, "precedence cutoff in effect");
+	break;
       default:
-	strcpy(icmptype, "unknown unreachable code"); break;
+	strcpy(icmptype, "unknown unreachable code");
+	break;
       }
       break;
     case 4: