From bb7a1cfb9fdba1187df4678cab0018a1336515c2 Mon Sep 17 00:00:00 2001 From: fyodor Date: Wed, 27 Jul 2005 04:39:55 +0000 Subject: [PATCH] little buffixes --- CHANGELOG | 2 +- docs/nmap.usage.txt | 2 +- docs/nmap_manpage.html | 683 +++++++++++++++++++++-------------------- nmap-service-probes | 10 +- osscan.cc | 2 +- scan_engine.cc | 5 +- 6 files changed, 362 insertions(+), 342 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index d535496bf..7f4005882 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,6 @@ # Nmap Changelog ($Id$) -UNRELEASED +Nmap 3.83DC13 o Added the ability for Nmap to send and properly route raw ethernet packets cointaining IP datagrams rather than always sending the diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt index 267c6e2f7..c86b0c6f6 100644 --- a/docs/nmap.usage.txt +++ b/docs/nmap.usage.txt @@ -1,4 +1,4 @@ -Nmap 3.83.SOC3 Usage: nmap [Scan Type(s)] [Options] +Nmap 3.83.DC13 Usage: nmap [Scan Type(s)] [Options] Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) diff --git a/docs/nmap_manpage.html b/docs/nmap_manpage.html index dfa410615..3e34abb68 100644 --- a/docs/nmap_manpage.html +++ b/docs/nmap_manpage.html @@ -469,258 +469,277 @@ for UNIX machines, while ethernet frames work best on the many Windows versions where Microsoft has disabled raw sockets sup- port. Nmap still uses raw IP packets when there is no other - choice (such as non-ethernet connections). --send_ip Asks Nmap - to send packets via raw IP sockets rather than sending lower - level ethernet frames. It is the complement to the --send-eth - option.discussed previously. -f This option causes the - requested scan (including ping scans) to use tiny fragmented IP - packets. The idea is to split up the TCP header over several - packets to make it harder for packet filters, intrusion detec- - tion systems, and other annoyances to detect what you are doing. - Be careful with this! Some programs have trouble handling these - tiny packets. The old-school sniffer named Sniffit segmentation - faulted immediately upon receiving the first fragment. Specify - this option once, and Nmap splits the packets into 8 bytes or - less after the IP header. So a 20-byte TCP header would be - split into 3 packets. - Two with eight bytes of the TCP header, and one with the final - four. Of course each fragment also has an IP header. Specify - -f again to use 16 bytes per fragment (reducing the number of - fragments). Or you can specify your own offset size with the + choice (such as non-ethernet connections). + + --send_ip + Asks Nmap to send packets via raw IP sockets rather than sending + lower level ethernet frames. It is the complement to the + --send-eth option.discussed previously. + + --spoof_mac [mac, prefix, or vendor substring] + Ask Nmap to use the given MAC address for all of the raw ether- + net frames it sends. The MAC given can take several formats. + If it is simply the string "0", Nmap chooses a completely random + MAC for the session. If the given string is an even number of + hex digits (with the pairs optionally separated by a colon), + Nmap will use those as the MAC. If less than 12 hex digits are + provided, Nmap fills in the remainder of the 6 bytes with random + values. If the argument isn’t a 0 or hex string, Nmap looks + through the nmap-mac-prefixes to find a vendor name containing + the given string (it is case insensitive). If a match is found, + Nmap uses the vendor’s OUI (3-byte prefix) and fills out the + remaining 3 bytes randomly. Valid --spoof_mac argument examples + are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", + and "Cisco". + + -f This option causes the requested scan (including ping scans) to + use tiny fragmented IP packets. The idea is to split up the TCP + header over several packets to make it harder for packet fil- + ters, intrusion detection systems, and other annoyances to + detect what you are doing. Be careful with this! Some programs + have trouble handling these tiny packets. The old-school sniffer + named Sniffit segmentation faulted immediately upon receiving + the first fragment. Specify this option once, and Nmap splits + the packets into 8 bytes or less after the IP header. So a + 20-byte TCP header would be split into 3 packets. + Two with eight bytes of the TCP header, and one with the final + four. Of course each fragment also has an IP header. Specify + -f again to use 16 bytes per fragment (reducing the number of + fragments). Or you can specify your own offset size with the --mtu option. Don’t also specify -f if you use --mtu. The off- set must be a multiple of 8. While fragmented packets won’t get - by packet filters and firewalls that queue all IP fragments, - such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, - some networks can’t afford the performance hit this causes and + by packet filters and firewalls that queue all IP fragments, + such as the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel, + some networks can’t afford the performance hit this causes and thus leave it disabled. Some source systems defragment outgoing - packets in the kernel. Linux with the ip tables connection - tracking module is one such example. Do a scan with a sniffer - such as ethereal running to ensure that sent packets are frag- + packets in the kernel. Linux with the ip tables connection + tracking module is one such example. Do a scan with a sniffer + such as ethereal running to ensure that sent packets are frag- mented. - Note that I do not yet have this option working on all systems. - It works fine for my Linux, FreeBSD, and OpenBSD boxes and some + Note that I do not yet have this option working on all systems. + It works fine for my Linux, FreeBSD, and OpenBSD boxes and some people have reported success with other *NIX variants. - -v Verbose mode. This is a highly recommended option and it gives - out more information about what is going on. You can use it - twice for greater effect. You can also use -d a few times if + -v Verbose mode. This is a highly recommended option and it gives + out more information about what is going on. You can use it + twice for greater effect. You can also use -d a few times if you really want to get crazy with scrolling the screen! -h This handy option display a quick reference screen of nmap usage - options. As you may have noticed, this man page is not exactly + options. As you may have noticed, this man page is not exactly a "quick reference" :) -oN <logfilename> - This logs the results of your scans in a normal human readable + This logs the results of your scans in a normal human readable form into the file you specify as an argument. -oX <logfilename> - This logs the results of your scans in XML form into the file + This logs the results of your scans in XML form into the file you specify as an argument. This allows programs to easily cap- - ture and interpret Nmap results. You can give the argument "-" - (without quotes) to shoot output into stdout (for shell + ture and interpret Nmap results. You can give the argument "-" + (without quotes) to shoot output into stdout (for shell pipelines, etc). In this case normal output will be suppressed. Watch out for error messages if you use this (they will still go - to stderr). Also note that "-v" may cause some extra informa- + to stderr). Also note that "-v" may cause some extra informa- tion to be printed. The Document Type Definition (DTD) defining the XML output structure is available at http://www.inse- cure.org/nmap/data/nmap.dtd . --stylesheet <filename> - Nmap ships with an XSL stylesheet named nmap.xsl for viewing or + Nmap ships with an XSL stylesheet named nmap.xsl for viewing or translating XML output to HTML. The XML output includes an xml- - stylesheet directive which points to nmap.xml where it was ini- + stylesheet directive which points to nmap.xml where it was ini- tially installed by Nmap (or in the current working directory on Windows). Simply load Nmap’s XML output in a modern web browser - and it should retrieve nmap.xsl from the filesystem and use it - to render results. If you wish to use a different stylesheet, - specify it as the argument to --stylesheet. You must pass the - full pathname or URL. One common invocation is --stylesheet - http://www.insecure.org/nmap/data/nmap.xsl . This tells a - browser to load the latest version of the stylesheet from Inse- - cure.Org. This makes it easier to view results on a machine - that doesn’t have Nmap (and thus nmap.xsl) installed. So the - URL is often more useful, but the local filesystem locaton of + and it should retrieve nmap.xsl from the filesystem and use it + to render results. If you wish to use a different stylesheet, + specify it as the argument to --stylesheet. You must pass the + full pathname or URL. One common invocation is --stylesheet + http://www.insecure.org/nmap/data/nmap.xsl . This tells a + browser to load the latest version of the stylesheet from Inse- + cure.Org. This makes it easier to view results on a machine + that doesn’t have Nmap (and thus nmap.xsl) installed. So the + URL is often more useful, but the local filesystem locaton of nmap.xsl is used by default for privacy reasons. --no_stylesheet - Specify this option to prevent Nmap from associating any XSL + Specify this option to prevent Nmap from associating any XSL stylesheet with its XML output. The xml-stylesheet directive is omitted. -oG <logfilename> - This logs the results of your scans in a grepable form into the - file you specify as an argument. This simple format provides + This logs the results of your scans in a grepable form into the + file you specify as an argument. This simple format provides all the information on one line (so you can easily grep for port or OS information and see all the IPs. This used to be the pre- - ferred mechanism for programs to interact with Nmap, but now we - recommend XML output (-oX instead). This simple format may not - contain as much information as the other formats. You can give - the argument "-" (without quotes) to shoot output into stdout - (for shell pipelines, etc). In this case normal output will be - suppressed. Watch out for error messages if you use this (they - will still go to stderr). Also note that "-v" will cause some + ferred mechanism for programs to interact with Nmap, but now we + recommend XML output (-oX instead). This simple format may not + contain as much information as the other formats. You can give + the argument "-" (without quotes) to shoot output into stdout + (for shell pipelines, etc). In this case normal output will be + suppressed. Watch out for error messages if you use this (they + will still go to stderr). Also note that "-v" will cause some extra information to be printed. -oA <basefilename> - This tells Nmap to log in ALL the major formats (normal, - grepable, and XML). You give a base for the filename, and the + This tells Nmap to log in ALL the major formats (normal, + grepable, and XML). You give a base for the filename, and the output files will be base.nmap, base.gnmap, and base.xml. -oS <logfilename> thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3 f0rM iNto - THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument "-" + THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument "-" (wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!! --resume <logfilename> - A network scan that is canceled due to control-C, network out- - age, etc. can be resumed using this option. The logfilename - must be either a normal (-oN) or grepable (-oG) log from the - aborted scan. No other options can be given (they will be the + A network scan that is canceled due to control-C, network out- + age, etc. can be resumed using this option. The logfilename + must be either a normal (-oN) or grepable (-oG) log from the + aborted scan. No other options can be given (they will be the same as the aborted scan). Nmap will start on the machine after the last one successfully scanned in the log file. --exclude <host1 [,host2][,host3],..."> - Specifies a list of targets (hosts, ranges, netblocks) that - should be excluded from a scan. Useful to keep from scanning + Specifies a list of targets (hosts, ranges, netblocks) that + should be excluded from a scan. Useful to keep from scanning yourself, your ISP, particularly sensitive hosts, etc. --excludefile <exclude_file> - Same functionality as the --exclude option, only the excluded + Same functionality as the --exclude option, only the excluded targets are provided in an newline-delimited exclude_file rather than on the command line. --allports - Causes version detection (-sV) to scan all open ports found, - including those excluded as dangerous (likely to cause crashes + Causes version detection (-sV) to scan all open ports found, + including those excluded as dangerous (likely to cause crashes or other problems) in nmap-service-probes. --append_output - Tells Nmap to append scan results to any output files you have + Tells Nmap to append scan results to any output files you have specified rather than overwriting those files. -iL <inputfilename> - Reads target specifications from the file specified RATHER than - from the command line. The file should contain a list of host - or network expressions separated by spaces, tabs, or newlines. - Use a hyphen (-) as inputfilename if you want nmap to read host - expressions from stdin (like at the end of a pipe). See the + Reads target specifications from the file specified RATHER than + from the command line. The file should contain a list of host + or network expressions separated by spaces, tabs, or newlines. + Use a hyphen (-) as inputfilename if you want nmap to read host + expressions from stdin (like at the end of a pipe). See the section target specification for more information on the expres- sions you fill the file with. -iR <num hosts> This option tells Nmap to generate its own hosts to scan by sim- - ply picking random numbers :). It will never end after the + ply picking random numbers :). It will never end after the given number of IPs has been scanned -- use 0 for a never-ending scan. This option can be useful for statistical sampling of the - Internet to estimate various things. If you are ever really - bored, try nmap -sS -PS80 -iR 0 -p 80 to find some web servers + Internet to estimate various things. If you are ever really + bored, try nmap -sS -PS80 -iR 0 -p 80 to find some web servers to look at. -p <port ranges> - This option specifies what ports you want to specify. For exam- - ple "-p 23" will only try port 23 of the target host(s). "-p - 20-30,139,60000-" scans ports between 20 and 30, port 139, and - all ports greater than 60000. The default is to scan all ports - between 1 and 1024 as well as any ports listed in the services - file which comes with nmap. For IP protocol scanning (-sO), + This option specifies what ports you want to specify. For exam- + ple "-p 23" will only try port 23 of the target host(s). "-p + 20-30,139,60000-" scans ports between 20 and 30, port 139, and + all ports greater than 60000. The default is to scan all ports + between 1 and 1024 as well as any ports listed in the services + file which comes with nmap. For IP protocol scanning (-sO), this specifies the protocol number you wish to scan for (0-255). When scanning both TCP and UDP ports, you can specify a particu- lar protocol by preceding the port numbers by "T:" or "U:". The - qualifier lasts until you specify another qualifier. For exam- - ple, the argument "-p U:53,111,137,T:21-25,80,139,8080" would - scan UDP ports 53,111,and 137, as well as the listed TCP ports. + qualifier lasts until you specify another qualifier. For exam- + ple, the argument "-p U:53,111,137,T:21-25,80,139,8080" would + scan UDP ports 53,111,and 137, as well as the listed TCP ports. Note that to scan both UDP & TCP, you have to specify -sU and at - least one TCP scan type (such as -sS, -sF, or -sT). If no pro- + least one TCP scan type (such as -sS, -sF, or -sT). If no pro- tocol qualifier is given, the port numbers are added to all pro- tocol lists. -F Fast scan mode. - Specifies that you only wish to scan for ports listed in the - services file which comes with nmap (or the protocols file for - -sO). This is obviously much faster than scanning all 65535 + Specifies that you only wish to scan for ports listed in the + services file which comes with nmap (or the protocols file for + -sO). This is obviously much faster than scanning all 65535 ports on a host. -D <decoy1 [,decoy2][,ME],...> Causes a decoy scan to be performed which makes it appear to the - remote host that the host(s) you specify as decoys are scanning - the target network too. Thus their IDS might report 5-10 port + remote host that the host(s) you specify as decoys are scanning + the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys. While this can be - defeated through router path tracing, response-dropping, and - other "active" mechanisms, it is generally an extremely effec- + defeated through router path tracing, response-dropping, and + other "active" mechanisms, it is generally an extremely effec- tive technique for hiding your IP address. Separate each decoy host with commas, and you can optionally use - "ME" as one of the decoys to represent the position you want + "ME" as one of the decoys to represent the position you want your IP address to be used. If you put "ME" in the 6th position - or later, some common port scan detectors (such as Solar - Designer’s excellent scanlogd) are unlikely to show your IP - address at all. If you don’t use "ME", nmap will put you in a + or later, some common port scan detectors (such as Solar + Designer’s excellent scanlogd) are unlikely to show your IP + address at all. If you don’t use "ME", nmap will put you in a random position. - Note that the hosts you use as decoys should be up or you might - accidentally SYN flood your targets. Also it will be pretty + Note that the hosts you use as decoys should be up or you might + accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually - up on the network. You might want to use IP addresses instead - of names (so the decoy networks don’t see you in their name- + up on the network. You might want to use IP addresses instead + of names (so the decoy networks don’t see you in their name- server logs). - Also note that some "port scan detectors" will firewall/deny - routing to hosts that attempt port scans. The problem is that + Also note that some "port scan detectors" will firewall/deny + routing to hosts that attempt port scans. The problem is that many scan types can be forged (as this option demonstrates). So - attackers can cause such a machine to sever connectivity with - important hosts such as its internet gateway, DNS TLD servers, - sites like Windows Update, etc. Most such software offers + attackers can cause such a machine to sever connectivity with + important hosts such as its internet gateway, DNS TLD servers, + sites like Windows Update, etc. Most such software offers whitelist capabilities, but you are unlikely to enumerate all of - the critical machines. For this reason we never recommend tak- - ing action against port scans that can be forged, including SYN - scans, UDP scans, etc. The machine you block could just be a + the critical machines. For this reason we never recommend tak- + ing action against port scans that can be forged, including SYN + scans, UDP scans, etc. The machine you block could just be a decoy. - Decoys are used both in the initial ping scan (using ICMP, SYN, - ACK, or whatever) and during the actual port scanning phase. + Decoys are used both in the initial ping scan (using ICMP, SYN, + ACK, or whatever) and during the actual port scanning phase. Decoys are also used during remote OS detection ( -O ). It is worth noting that using too many decoys may slow your scan - and potentially even make it less accurate. Also, some ISPs - will filter out your spoofed packets, although many (currently + and potentially even make it less accurate. Also, some ISPs + will filter out your spoofed packets, although many (currently most) do not restrict spoofed IP packets at all. -S <IP_Address> - In some circumstances, nmap may not be able to determine your - source address ( nmap will tell you if this is the case). In - this situation, use -S with your IP address (of the interface + In some circumstances, nmap may not be able to determine your + source address ( nmap will tell you if this is the case). In + this situation, use -S with your IP address (of the interface you wish to send packets through). - Another possible use of this flag is to spoof the scan to make + Another possible use of this flag is to spoof the scan to make the targets think that someone else is scanning them. Imagine a - company being repeatedly port scanned by a competitor! This is - not a supported usage (or the main purpose) of this flag. I - just think it raises an interesting possibility that people - should be aware of before they go accusing others of port scan- - ning them. -e would generally be required for this sort of + company being repeatedly port scanned by a competitor! This is + not a supported usage (or the main purpose) of this flag. I + just think it raises an interesting possibility that people + should be aware of before they go accusing others of port scan- + ning them. -e would generally be required for this sort of usage. -e <interface> - Tells nmap what interface to send and receive packets on. Nmap + Tells nmap what interface to send and receive packets on. Nmap should be able to detect this but it will tell you if it cannot. --source_port <portnumber> - Sets the source port number used in scans. Many naive firewall + Sets the source port number used in scans. Many naive firewall and packet filter installations make an exception in their rule- - set to allow DNS (53) or FTP-DATA (20) packets to come through - and establish a connection. Obviously this completely subverts + set to allow DNS (53) or FTP-DATA (20) packets to come through + and establish a connection. Obviously this completely subverts the security advantages of the firewall since intruders can just - masquerade as FTP or DNS by modifying their source port. Obvi- - ously for a UDP scan you should try 53 first and TCP scans - should try 20 before 53. Note that this is only a request -- + masquerade as FTP or DNS by modifying their source port. Obvi- + ously for a UDP scan you should try 53 first and TCP scans + should try 20 before 53. Note that this is only a request -- nmap will honor it only if and when it is able to. For example, - you can’t do TCP ISN sampling all from one host:port to one + you can’t do TCP ISN sampling all from one host:port to one host:port, so nmap changes the source port even if you used this - option. This is an alias for the shorter, but harder to remem- + option. This is an alias for the shorter, but harder to remem- ber, -g option. Be aware that there is a small performance penalty on some scans @@ -728,191 +747,191 @@ tion in the source port number. --data_length <number> - Normally Nmap sends minimalistic packets that only contain a + Normally Nmap sends minimalistic packets that only contain a header. So its TCP packets are generally 40 bytes and ICMP echo - requests are just 28. This option tells Nmap to append the - given number of random bytes to most of the packets it sends. + requests are just 28. This option tells Nmap to append the + given number of random bytes to most of the packets it sends. OS detection (-O) packets are not affected, but most pinging and - portscan packets are. This slows things down, but can be + portscan packets are. This slows things down, but can be slightly less conspicuous. - -n Tells Nmap to NEVER do reverse DNS resolution on the active IP - addresses it finds. Since DNS is often slow, this can help + -n Tells Nmap to NEVER do reverse DNS resolution on the active IP + addresses it finds. Since DNS is often slow, this can help speed things up. - -R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP - addresses. Normally this is only done when a machine is found + -R Tells Nmap to ALWAYS do reverse DNS resolution on the target IP + addresses. Normally this is only done when a machine is found to be alive. - -r Tells Nmap NOT to randomize the order in which ports are + -r Tells Nmap NOT to randomize the order in which ports are scanned. --ttl <value> - Sets the IPv4 time to live field in sent packets to the given + Sets the IPv4 time to live field in sent packets to the given value. --privileged Tells Nmap to simply assume that it is privileged enough to per- - form raw socket sends, packet sniffing, and similar operations - that usually require root privileges on UNIX systems. By - default Nmap bails if such operations are requested but + form raw socket sends, packet sniffing, and similar operations + that usually require root privileges on UNIX systems. By + default Nmap bails if such operations are requested but geteuid() is not zero. --privileged is useful with Linux kernel capabilities and similar systems that may be configured to allow unprivileged users to perform raw-packet scans. Be sure to pro- - vide this option flag before any flags for options that require - privileges (SYN scan, OS detection, etc.). The NMAP_PRIVILEGED + vide this option flag before any flags for options that require + privileges (SYN scan, OS detection, etc.). The NMAP_PRIVILEGED variable may be set as an equivalent alternative --privileged. --interactive - Starts Nmap in interactive mode, which offers an interactive - Nmap prompt allowing easy launching of multiple scans (either - synchronously or in the background). This is useful for people - who scan from multi-user systems -- they often want to test - their security without letting everyone else on the system know - exactly which systems they are scanning. Use --interactive to - activate this mode and then type usually more familiar and fea- + Starts Nmap in interactive mode, which offers an interactive + Nmap prompt allowing easy launching of multiple scans (either + synchronously or in the background). This is useful for people + who scan from multi-user systems -- they often want to test + their security without letting everyone else on the system know + exactly which systems they are scanning. Use --interactive to + activate this mode and then type usually more familiar and fea- ture-complete. --randomize_hosts - Tells Nmap to shuffle each group of up to 2048 hosts before it - scans them. This can make the scans less obvious to various - network monitoring systems, especially when you combine it with + Tells Nmap to shuffle each group of up to 2048 hosts before it + scans them. This can make the scans less obvious to various + network monitoring systems, especially when you combine it with slow timing options (see below). -M <max sockets> Sets the maximum number of sockets that will be used in parallel - for a TCP connect() scan (the default). This is useful to slow - down the scan a little bit and avoid crashing remote machines. - Another approach is to use -sS, which is generally easier for + for a TCP connect() scan (the default). This is useful to slow + down the scan a little bit and avoid crashing remote machines. + Another approach is to use -sS, which is generally easier for machines to handle. --packet_trace - Tells Nmap to show all the packets it sends and receives in a + Tells Nmap to show all the packets it sends and receives in a tcpdump-like format. This can be tremendously useful for debug- ging, and is also a good learning tool. --datadir [directoryname] - Nmap obtains some special data at runtime in files named nmap- - service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap- - mac-prefixes, and nmap-os-fingerprints. Nmap first searches + Nmap obtains some special data at runtime in files named nmap- + service-probes, nmap-services, nmap-protocols, nmap-rpc, nmap- + mac-prefixes, and nmap-os-fingerprints. Nmap first searches these files in the directory option to --datadir. Any files not - found there, are searched for in the directory specified by the + found there, are searched for in the directory specified by the NMAPDIR environmental variable. Next comes ~/.nmap for real and effective UIDs (POSIX systems only) or location of the Nmap exe- - cutable (Win32 only), and then a compiled-in location such as - /usr/local/share/nmap or /usr/share/nmap . As a last resort, + cutable (Win32 only), and then a compiled-in location such as + /usr/local/share/nmap or /usr/share/nmap . As a last resort, Nmap will look in the current directory. TIMING OPTIONS - Generally Nmap does a good job at adjusting for Network charac- + Generally Nmap does a good job at adjusting for Network charac- teristics at runtime and scanning as fast as possible while min- - imizing that chances of hosts/ports going undetected. However, - there are same cases where Nmap’s default timing policy may not - meet your objectives. The following options provide a fine + imizing that chances of hosts/ports going undetected. However, + there are same cases where Nmap’s default timing policy may not + meet your objectives. The following options provide a fine level of control over the scan timing: -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> - These are canned timing policies for conveniently expressing + These are canned timing policies for conveniently expressing your priorities to Nmap. Paranoid mode scans very slowly in the - hopes of avoiding detection by IDS systems. It serializes all + hopes of avoiding detection by IDS systems. It serializes all scans (no parallel scanning) and generally waits at least 5 min- utes between sending packets. Sneaky is similar, except it only - waits 15 seconds between sending packets. Polite is meant to - ease load on the network and reduce the chances of crashing - machines. It serializes the probes and waits at least 0.4 sec- - onds between them. Note that this is generally at least an - order of magnitude slower than default scans, so only use it - when you need to. Normal is the default Nmap behavior, which + waits 15 seconds between sending packets. Polite is meant to + ease load on the network and reduce the chances of crashing + machines. It serializes the probes and waits at least 0.4 sec- + onds between them. Note that this is generally at least an + order of magnitude slower than default scans, so only use it + when you need to. Normal is the default Nmap behavior, which tries to run as quickly as possible without overloading the net- - work or missing hosts/ports. Aggressive This option can make - certain scans (especially SYN scans against heavily filtered - hosts) much faster. It is recommended for impatient folks with - a fast net connection. Insane is only suitable for very fast - networks or where you don’t mind losing some information. It - times out hosts in 15 minutes and won’t wait more than 0.3 sec- - onds for individual probes. It does allow for very quick net- + work or missing hosts/ports. Aggressive This option can make + certain scans (especially SYN scans against heavily filtered + hosts) much faster. It is recommended for impatient folks with + a fast net connection. Insane is only suitable for very fast + networks or where you don’t mind losing some information. It + times out hosts in 15 minutes and won’t wait more than 0.3 sec- + onds for individual probes. It does allow for very quick net- work sweeps though :). - You can also reference these by number (0-5). For example, - "-T0" gives you Paranoid mode and "-T5" is Insane mode. If you - wish to set specific timing values such as --max_rtt_timeout or - --host_timeout, place them after any -T option on the command - line. Otherwise the defaults for the selected timing mode will + You can also reference these by number (0-5). For example, + "-T0" gives you Paranoid mode and "-T5" is Insane mode. If you + wish to set specific timing values such as --max_rtt_timeout or + --host_timeout, place them after any -T option on the command + line. Otherwise the defaults for the selected timing mode will override your choices. --host_timeout <milliseconds> Specifies the amount of time Nmap is allowed to spend scanning a - single host before giving up on that IP. The default timing + single host before giving up on that IP. The default timing mode has no host timeout. --max_rtt_timeout <milliseconds> Specifies the maximum amount of time Nmap is allowed to wait for - a probe response before retransmitting or timing out that par- + a probe response before retransmitting or timing out that par- ticular probe. The default mode sets this to about 9000. --min_rtt_timeout <milliseconds> When the target hosts start to establish a pattern of responding - very quickly, Nmap will shrink the amount of time given per - probe. This speeds up the scan, but can lead to missed packets - when a response takes longer than usual. With this parameter - you can guarantee that Nmap will wait at least the given amount + very quickly, Nmap will shrink the amount of time given per + probe. This speeds up the scan, but can lead to missed packets + when a response takes longer than usual. With this parameter + you can guarantee that Nmap will wait at least the given amount of time before giving up on a probe. --initial_rtt_timeout <milliseconds> - Specifies the initial probe timeout. This is generally only - useful when scanning firewalled hosts with -P0. Normally Nmap - can obtain good RTT estimates from the ping and the first few + Specifies the initial probe timeout. This is generally only + useful when scanning firewalled hosts with -P0. Normally Nmap + can obtain good RTT estimates from the ping and the first few probes. The default mode uses 6000. --max_hostgroup <numhosts> - Specifies the maximum number of hosts that Nmap is allowed to - scan in parallel. Most of the port scan techniques support - multi-host operation, which makes them much quicker. Spreading - the load among multiple target hosts makes the scans gentler. + Specifies the maximum number of hosts that Nmap is allowed to + scan in parallel. Most of the port scan techniques support + multi-host operation, which makes them much quicker. Spreading + the load among multiple target hosts makes the scans gentler. The downside is increased results latency. You need to wait for - all hosts in a group to finish, rather than having them pop up - one by one. Specify an argument of one for old-style (one host - at a time) Nmap behavior. Note that the ping scanner handles + all hosts in a group to finish, rather than having them pop up + one by one. Specify an argument of one for old-style (one host + at a time) Nmap behavior. Note that the ping scanner handles its own grouping, and ignores this value. --min_hostgroup <numhosts> - Specifies the minimum host group size (see previous entry). - Large values (such as 50) are often beneficial for unattended - scans, though they do take up more memory. Nmap may override - this preference when it needs to, because a group must all use - the same network interface, and some scan types can only handle + Specifies the minimum host group size (see previous entry). + Large values (such as 50) are often beneficial for unattended + scans, though they do take up more memory. Nmap may override + this preference when it needs to, because a group must all use + the same network interface, and some scan types can only handle one host at a time. --max_parallelism <number> Specifies the maximum number of scans Nmap is allowed to perform - in parallel. Setting this to one means Nmap will never try to + in parallel. Setting this to one means Nmap will never try to scan more than 1 port at a time. It also effects other parallel scans such as ping sweep, RPC scan, etc. --min_parallelism <number> - Tells Nmap to scan at least the given number of ports in paral- - lel. This can speed up scans against certain firewalled hosts + Tells Nmap to scan at least the given number of ports in paral- + lel. This can speed up scans against certain firewalled hosts by an order of magnitude. But be careful -- results will become unreliable if you push it too far. --scan_delay <milliseconds> - Specifies the minimum amount of time Nmap must wait between + Specifies the minimum amount of time Nmap must wait between probes. This is mostly useful to reduce network load or to slow - the scan way down to sneak under IDS thresholds. Nmap will + the scan way down to sneak under IDS thresholds. Nmap will sometimes increase the delay itself when it detects many dropped packets. For example, Solaris systems tend to respond with only - one ICMP port unreachable packet per second during a UDP scan. + one ICMP port unreachable packet per second during a UDP scan. So Nmap will try to detect this and lower its rate of UDP probes to one per second. --max_scan_delay <milliseconds> - As noted above, Nmap will sometimes enforce a special delay + As noted above, Nmap will sometimes enforce a special delay between sending packets. This can provide more accurate results - while reducing network congestion, but it can slow the scans - down substantially. By default (with no -T options specified), - Nmap allows this delay to grow to one second per probe. This + while reducing network congestion, but it can slow the scans + down substantially. By default (with no -T options specified), + Nmap allows this delay to grow to one second per probe. This option allows you to set a lower or higher maximum. Even if you - set it to zero, Nmap will have some delay between packet sends + set it to zero, Nmap will have some delay between packet sends so that it can wait for responses and avoid having too many out- standing probes in parallel. @@ -921,84 +940,84 @@

TARGET SPECIFICATION

        Everything that isn’t an option (or option argument) in nmap is treated
-       as a target host specification.  The simplest case  is  listing  single
-       hostnames  or  IP addresses on the command line.  If you want to scan a
-       subnet of IP addresses, you can append /mask  to  the  hostname  or  IP
+       as  a  target  host specification.  The simplest case is listing single
+       hostnames or IP addresses on the command line.  If you want to  scan  a
+       subnet  of  IP  addresses,  you  can append /mask to the hostname or IP
        address.  mask must be between 0 (scan the whole Internet) and 32 (scan
-       the single host specified).  Use /24 to scan a class  "C"  address  and
+       the  single  host  specified).  Use /24 to scan a class "C" address and
        /16 for a class "B".
 
-       Nmap  also  has  a  more powerful notation which lets you specify an IP
-       address using lists/ranges for each element.  Thus  you  can  scan  the
-       whole  class  "B"  network  192.168.*.*  by specifying "192.168.*.*" or
+       Nmap also has a more powerful notation which lets  you  specify  an  IP
+       address  using  lists/ranges  for  each element.  Thus you can scan the
+       whole class "B" network  192.168.*.*  by  specifying  "192.168.*.*"  or
        "192.168.0-255.0-255" or even "192.168.1-50,51-255.1,2,3,4,5-255".  And
-       of  course  you can use the mask notation: "192.168.0.0/16".  These are
-       all equivalent.  If you use asterisks ("*"), remember that most  shells
-       require  you  to  escape  them  with  back slashes or protect them with
+       of course you can use the mask notation: "192.168.0.0/16".   These  are
+       all  equivalent.  If you use asterisks ("*"), remember that most shells
+       require you to escape them with  back  slashes  or  protect  them  with
        quotes.
 
-       Another interesting thing to do is slice the Internet  the  other  way.
-       Instead  of  scanning all the hosts in a class "B", scan "*.*.5.6-7" to
-       scan every IP address that ends in .5.6 or .5.7 Pick your own  numbers.
+       Another  interesting  thing  to do is slice the Internet the other way.
+       Instead of scanning all the hosts in a class "B", scan  "*.*.5.6-7"  to
+       scan  every IP address that ends in .5.6 or .5.7 Pick your own numbers.
        For more information on specifying hosts to scan, see the examples sec-
        tion.

EXAMPLES

-       Here are some examples of using nmap, from simple and normal to a  lit-
-       tle  more  complex/esoteric.   Note that actual numbers and some actual
+       Here  are some examples of using nmap, from simple and normal to a lit-
+       tle more complex/esoteric.  Note that actual numbers  and  some  actual
        domain names are used to make things more concrete.  In their place you
-       should  substitute  addresses/names  from  your  own network.  I do not
-       think portscanning other networks is illegal; nor should  portscans  be
+       should substitute addresses/names from your  own  network.   I  do  not
+       think  portscanning  other networks is illegal; nor should portscans be
        construed by others as an attack.  I have scanned hundreds of thousands
-       of machines and have received only one  complaint.   But  I  am  not  a
-       lawyer  and some (anal) people may be annoyed by nmap probes.  Get per-
-       mission first or use at your own risk.
+       of  machines  and  have  received  only  one complaint.  But I am not a
+       lawyer and some (anal) people may  be  annoyed  by  nmap  probes.   Get
+       permission first or use at your own risk.
 
        nmap -v target.example.com
 
-       This option scans all reserved TCP ports on  the  machine  target.exam-
+       This  option  scans  all reserved TCP ports on the machine target.exam-
        ple.com .  The -v means turn on verbose mode.
 
        nmap -sS -O target.example.com/24
 
-       Launches  a stealth SYN scan against each machine that is up out of the
-       255 machines on class "C" where target.example.com  resides.   It  also
-       tries  to  determine what operating system is running on each host that
-       is up and running.  This requires root privileges because  of  the  SYN
+       Launches a stealth SYN scan against each machine that is up out of  the
+       255  machines  on  class "C" where target.example.com resides.  It also
+       tries to determine what operating system is running on each  host  that
+       is  up  and  running.  This requires root privileges because of the SYN
        scan and the OS detection.
 
        nmap -sX -p 22,53,110,143,4564 198.116.*.1-127
 
        Sends an Xmas tree scan to the first half of each of the 255 possible 8
-       bit subnets in the 198.116 class "B" address  space.   We  are  testing
-       whether  the  systems  run sshd, DNS, pop3d, imapd, or port 4564.  Note
-       that Xmas scan doesn’t work on Microsoft boxes due to  their  deficient
+       bit  subnets  in  the  198.116 class "B" address space.  We are testing
+       whether the systems run sshd, DNS, pop3d, imapd, or  port  4564.   Note
+       that  Xmas  scan doesn’t work on Microsoft boxes due to their deficient
        TCP stack.  Same goes with CISCO, IRIX, HP/UX, and BSDI boxes.
 
        nmap -v --randomize_hosts -p 80 *.*.2.3-5
 
-       Rather  than  focus on a specific IP range, it is sometimes interesting
-       to slice up the entire Internet and  scan  a  small  sample  from  each
-       slice.   This  command  finds  all  web  servers  on  machines  with IP
-       addresses ending in .2.3, .2.4, or .2.5.  If you are root you might  as
+       Rather than focus on a specific IP range, it is  sometimes  interesting
+       to  slice  up  the  entire  Internet  and scan a small sample from each
+       slice.  This  command  finds  all  web  servers  on  machines  with  IP
+       addresses  ending in .2.3, .2.4, or .2.5.  If you are root you might as
        well add -sS.  Also you will find more interesting machines starting at
-       127. so you might want to use "127-222" instead of the first  asterisks
-       because  that  section  has  a  greater density of interesting machines
+       127.  so you might want to use "127-222" instead of the first asterisks
+       because that section has a  greater  density  of  interesting  machines
        (IMHO).
 
        host -l company.com | cut  -d  -f 4 | ./nmap -v -iL -
 
-       Do a DNS zone transfer to find the hosts in company.com and  then  feed
+       Do  a  DNS zone transfer to find the hosts in company.com and then feed
        the IP addresses to nmap.  The above commands are for my GNU/Linux box.
        You may need different commands/options on other operating systems.

BUGS

-       Bugs?  What bugs?  Send me any that you find.  Patches are nice too  :)
-       Remember  to  also  send  in  new  OS  fingerprints  so we can grow the
+       Bugs?   What bugs?  Send me any that you find.  Patches are nice too :)
+       Remember to also send in  new  OS  fingerprints  so  we  can  grow  the
        database.  Nmap will give you a submission URL when an appropriate fin-
        gerprint is found.
 
@@ -1010,138 +1029,138 @@

DISTRIBUTION

-       The  newest  version  of  nmap  can  be  obtained from http://www.inse-
+       The newest version  of  nmap  can  be  obtained  from  http://www.inse-
        cure.org/nmap/
 
-       The Nmap Security Scanner is (C) 1996-2004 Insecure.Com  LLC.  Nmap  is
-       also  a registered trademark of Insecure.Com LLC.  This program is free
-       software; you may redistribute and/or modify it under the terms of  the
-       GNU  General  Public  License as published by the Free Software Founda-
+       The  Nmap  Security  Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap is
+       also a registered trademark of Insecure.Com LLC.  This program is  free
+       software;  you may redistribute and/or modify it under the terms of the
+       GNU General Public License as published by the  Free  Software  Founda-
        tion; Version 2.  This guarantees your right to use, modify, and redis-
-       tribute  this  software under certain conditions.  If you wish to embed
-       Nmap technology into proprietary software, we may be  willing  to  sell
+       tribute this software under certain conditions.  If you wish  to  embed
+       Nmap  technology  into  proprietary software, we may be willing to sell
        alternative licenses (contact sales@insecure.com).  Many security scan-
-       ner vendors already license Nmap technology such as our remote OS  fin-
-       gerprinting  database  and  code, service/version detection system, and
+       ner  vendors already license Nmap technology such as our remote OS fin-
+       gerprinting database and code, service/version  detection  system,  and
        port scanning code.
 
        Note that the GPL places important restrictions on "derived works", yet
-       it  does not provide a detailed definition of that term.  To avoid mis-
-       understandings, we consider an application to constitute a  "derivative
+       it does not provide a detailed definition of that term.  To avoid  mis-
+       understandings,  we consider an application to constitute a "derivative
        work" for the purpose of this license if it does any of the following:
 
        o Integrates source code from Nmap
 
-       o  Reads  or includes Nmap copyrighted data files, such as nmap-os-fin-
+       o Reads or includes Nmap copyrighted data files, such  as  nmap-os-fin-
        gerprints or nmap-service-probes.
 
-       o Executes Nmap and parses the results (as opposed to typical shell  or
-       execution-menu  apps,  which  simply display raw Nmap output and so are
+       o  Executes Nmap and parses the results (as opposed to typical shell or
+       execution-menu apps, which simply display raw Nmap output  and  so  are
        not derivative works.)
 
-       o Integrates/includes/aggregates Nmap  into  a  proprietary  executable
+       o  Integrates/includes/aggregates  Nmap  into  a proprietary executable
        installer, such as those produced by InstallShield.
 
        o Links to a library or executes a program that does any of the above
 
        The term "Nmap" should be taken to also include any portions or derived
-       works of Nmap.  This list is not exclusive, but is just meant to  clar-
-       ify  our  interpretation  of  derived  works with some common examples.
+       works  of Nmap.  This list is not exclusive, but is just meant to clar-
+       ify our interpretation of derived  works  with  some  common  examples.
        These restrictions only apply when you actually redistribute Nmap.  For
-       example,  nothing  stops  you  from  writing  and selling a proprietary
-       front-end to Nmap.  Just distribute it by itself, and point  people  to
+       example, nothing stops you  from  writing  and  selling  a  proprietary
+       front-end  to  Nmap.  Just distribute it by itself, and point people to
        http://www.insecure.org/nmap/ to download Nmap.
 
        We don’t consider these to be added restrictions on top of the GPL, but
-       just a clarification of how we interpret "derived works" as it  applies
-       to  our  GPL-licensed  Nmap  product.  This is similar to the way Linus
-       Torvalds has  announced  his  interpretation  of  how  "derived  works"
-       applies  to  Linux  kernel  modules.  Our interpretation refers only to
+       just  a clarification of how we interpret "derived works" as it applies
+       to our GPL-licensed Nmap product.  This is similar  to  the  way  Linus
+       Torvalds  has  announced  his  interpretation  of  how  "derived works"
+       applies to Linux kernel modules.  Our  interpretation  refers  only  to
        Nmap - we don’t speak for any other GPL products.
 
        If you have any questions about the GPL licensing restrictions on using
-       Nmap  in non-GPL works, we would be happy to help.  As mentioned above,
-       we also offer alternative license to integrate  Nmap  into  proprietary
-       applications  and  appliances.   These contracts have been sold to many
-       security vendors, and generally include a perpetual license as well  as
-       providing  for  priority support and updates as well as helping to fund
+       Nmap in non-GPL works, we would be happy to help.  As mentioned  above,
+       we  also  offer  alternative license to integrate Nmap into proprietary
+       applications and appliances.  These contracts have been  sold  to  many
+       security  vendors, and generally include a perpetual license as well as
+       providing for priority support and updates as well as helping  to  fund
        the continued development of Nmap technology.  Please email sales@inse-
        cure.com for further information.
 
-       As  a  special exception to the GPL terms, Insecure.Com LLC grants per-
-       mission to link the code of  this  program  with  any  version  of  the
-       OpenSSL  library which is distributed under a license identical to that
+       As a special exception to the GPL terms, Insecure.Com LLC  grants  per-
+       mission  to  link  the  code  of  this  program with any version of the
+       OpenSSL library which is distributed under a license identical to  that
        listed in the included Copying.OpenSSL file, and distribute linked com-
-       binations  including the two. You must obey the GNU GPL in all respects
-       for all of the code used other than OpenSSL.  If you modify this  file,
-       you  may extend this exception to your version of the file, but you are
+       binations including the two. You must obey the GNU GPL in all  respects
+       for  all of the code used other than OpenSSL.  If you modify this file,
+       you may extend this exception to your version of the file, but you  are
        not obligated to do so.
 
-       If you received these files with a written license  agreement  or  con-
-       tract  stating  terms other than the terms above, then that alternative
+       If  you  received  these files with a written license agreement or con-
+       tract stating terms other than the terms above, then  that  alternative
        license agreement takes precedence over these comments.
 
-       Source is provided to this software because we  believe  users  have  a
+       Source  is  provided  to  this software because we believe users have a
        right to know exactly what a program is going to do before they run it.
-       This also allows you to audit the software  for  security  holes  (none
+       This  also  allows  you  to audit the software for security holes (none
        have been found so far).
 
-       Source  code  also  allows you to port Nmap to new platforms, fix bugs,
-       and add new features.  You are highly encouraged to send  your  changes
+       Source code also allows you to port Nmap to new  platforms,  fix  bugs,
+       and  add  new features.  You are highly encouraged to send your changes
        to fyodor@insecure.org for possible incorporation into the main distri-
-       bution.  By sending these changes to Fyodor  or  one  the  Insecure.Org
-       development  mailing  lists, it is assumed that you are offering Fyodor
-       and Insecure.Com LLC the unlimited, non-exclusive right to reuse,  mod-
-       ify,  and  relicense  the  code.   Nmap  will  always be available Open
-       Source, but this is important because the inability to  relicense  code
-       has  caused devastating problems for other Free Software projects (such
-       as KDE and NASM).  We also occasionally relicense  the  code  to  third
-       parties  as  discussed  above.   If you wish to specify special license
+       bution.   By  sending  these  changes to Fyodor or one the Insecure.Org
+       development mailing lists, it is assumed that you are  offering  Fyodor
+       and  Insecure.Com LLC the unlimited, non-exclusive right to reuse, mod-
+       ify, and relicense the  code.   Nmap  will  always  be  available  Open
+       Source,  but  this is important because the inability to relicense code
+       has caused devastating problems for other Free Software projects  (such
+       as  KDE  and  NASM).   We also occasionally relicense the code to third
+       parties as discussed above.  If you wish  to  specify  special  license
        conditions of your contributions, just say so when you send them.
 
-       This program is distributed in the hope that it  will  be  useful,  but
-       WITHOUT  ANY  WARRANTY;  without  even  the  implied  warranty  of MER-
-       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU  General
+       This  program  is  distributed  in the hope that it will be useful, but
+       WITHOUT ANY  WARRANTY;  without  even  the  implied  warranty  of  MER-
+       CHANTABILITY  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
        Public License for more details at http://www.gnu.org/copyleft/gpl.html
        , or in the COPYING file included with Nmap.
 
-       It should also be noted that Nmap  has  been  known  to  crash  certain
+       It  should  also  be  noted  that  Nmap has been known to crash certain
        poorly written applications, TCP/IP stacks, and even operating systems.
-       Nmap should never be run against mission critical  systems  unless  you
-       are  prepared  to  suffer  downtime.  We acknowledge here that Nmap may
-       crash your systems or networks and we disclaim all  liability  for  any
+       Nmap  should  never  be run against mission critical systems unless you
+       are prepared to suffer downtime.  We acknowledge  here  that  Nmap  may
+       crash  your  systems  or networks and we disclaim all liability for any
        damage or problems Nmap could cause.
 
        Because of the slight risk of crashes and because a few black hats like
-       to use Nmap for reconnaissance prior to attacking  systems,  there  are
-       administrators  who  become upset and may complain when their system is
-       scanned.  Thus, it is often  advisable  to  request  permission  before
+       to  use  Nmap  for reconnaissance prior to attacking systems, there are
+       administrators who become upset and may complain when their  system  is
+       scanned.   Thus,  it  is  often  advisable to request permission before
        doing even a light scan of a network.
 
-       Nmap  should  never be installed with special privileges (eg suid root)
+       Nmap should never be installed with special privileges (eg  suid  root)
        for security reasons.
 
        This product includes software developed by the Apache Software Founda-
-       tion  (http://www.apache.org/).   The  Libpcap  portable packet capture
-       library is distributed along with nmap.  Libpcap was  originally  copy-
-       righted  by  Van  Jacobson,  Craig Leres and Steven McCanne, all of the
+       tion (http://www.apache.org/).  The  Libpcap  portable  packet  capture
+       library  is  distributed along with nmap.  Libpcap was originally copy-
+       righted by Van Jacobson, Craig Leres and Steven  McCanne,  all  of  the
        Lawrence Berkeley National Laboratory, University of California, Berke-
        ley, CA.  It is now maintained by http://www.tcpdump.org .
 
-       Regular  expression  support  is  provided by the PCRE library package,
-       which is open source software, written by Philip Hazel,  and  copyright
+       Regular expression support is provided by  the  PCRE  library  package,
+       which  is  open source software, written by Philip Hazel, and copyright
        by the University of Cambridge, England.  See http://www.pcre.org/ .
 
-       Nmap  can optionally link to the OpenSSL cryptography toolkit, which is
+       Nmap can optionally link to the OpenSSL cryptography toolkit, which  is
        available from http://www.openssl.org/ .
 
-       US Export Control: Insecure.Com LLC believes that Nmap falls  under  US
-       ECCN  (export  control  classification number) 5D992.  This category is
-       called ’"Information Security" "software"  not  controlled  by  5D002’.
-       The  only  restriction  of  this classification is AT (anti-terrorism),
-       which applies to almost all goods and denies export  to  a  handful  of
-       rogue  nations  such as Iran and North Korea.  Thus exporting Nmap does
-       not require any special license, permit, or other  governmental  autho-
+       US  Export  Control: Insecure.Com LLC believes that Nmap falls under US
+       ECCN (export control classification number) 5D992.   This  category  is
+       called  ’"Information  Security"  "software"  not controlled by 5D002’.
+       The only restriction of this  classification  is  AT  (anti-terrorism),
+       which  applies  to  almost  all goods and denies export to a handful of
+       rogue nations such as Iran and North Korea.  Thus exporting  Nmap  does
+       not  require  any special license, permit, or other governmental autho-
        rization.
 
 
diff --git a/nmap-service-probes b/nmap-service-probes
index 8061ab612..21de636d9 100644
--- a/nmap-service-probes
+++ b/nmap-service-probes
@@ -2119,16 +2119,16 @@ match domain m|^\x80\xf0\x80\x12\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAA
 Probe TCP LPDString q|\x01default\n|
 ports 515
 match printer m|^\0$| d/printer/
-match printer m|^default: unknown printer\n$| p/Solaris lpd/ d/printer/ o/Solaris/
+match printer m|^default: unknown printer\n$| p/Solaris lpd/ o/Solaris/
 # Redhat Linux 7.3 LPRng-3.8.9
-match printer m|^\x01no connect permissions\n$| p/LPRng/ d/printer/
+match printer m|^\x01no connect permissions\n$| p/LPRng/
 # Microsoft Windows 2000 serverr LPD
-match printer m|^\x01\x01$| p/Microsoft lpd/ d/printer/
+match printer m|^\x01\x01$| p/Microsoft lpd/
 # Blackbox Terminal Server (IOLAN v4.03.00 a CDi)
 # Chase IOLAN terminal server lpd
 # Bay Networks MicroAnnex XL  Comm. Server R10.0
-match printer m|^\x01$| d/printer/
-match printer m|^[-.\w]+: lpsched: unknown printer\n$| p/SGI IRIX lprsrv/ d/printer/ o/IRIX/
+match printer m|^\x01$|
+match printer m|^[-.\w]+: lpsched: unknown printer\n$| p/SGI IRIX lprsrv/ o/IRIX/
 
 # Ldap bind request, version 2, null DN, AUTH_TYPE simple, null password
 ##############################NEXT PROBE##############################
diff --git a/osscan.cc b/osscan.cc
index c161f12da..183cdd03c 100644
--- a/osscan.cc
+++ b/osscan.cc
@@ -1806,7 +1806,7 @@ udp->uh_sum = realcheck;
      readudppacket(packet,1);
    }
 
-   if ((res = send_ip_packet(sd, NULL, packet, ip->ip_len)))
+   if ((res = send_ip_packet(sd, NULL, packet, ntohs(ip->ip_len))) == -1)
    {
      perror("send_ip_packet in send_closedupd_probe");
      return NULL;
diff --git a/scan_engine.cc b/scan_engine.cc
index 3a2726db1..3386a5349 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -3179,10 +3179,11 @@ void ultra_scan(vector &Targets, struct scan_lists *ports,
 
   if (o.verbose) {
     if (USI->gstats->num_hosts_timedout == 0)
-      log_write(LOG_STDOUT, "The %s took %.2fs to scan %lu total ports.\n",
+      log_write(LOG_STDOUT, "The %s took %.2fs to scan %lu total %s.\n",
 		scantype2str(scantype), 
 		TIMEVAL_MSEC_SUBTRACT(USI->now, USI->SPM->begin) / 1000.0, 
-		(unsigned long) USI->gstats->numprobes * Targets.size());
+		(unsigned long) USI->gstats->numprobes * Targets.size(), 
+		(scantype == ARP_SCAN)? "hosts" : "ports");
     else log_write(LOG_STDOUT, "Finished %s in %.2fs, but %d %s timed out.\n", 
 		   scantype2str(scantype), 
 		   TIMEVAL_MSEC_SUBTRACT(USI->now, USI->SPM->begin) / 1000.0,