diff --git a/CHANGELOG b/CHANGELOG
index 4edcc7b1e..fd73f51c7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,25 @@
 
 UNRELEASED
 
+o Applied a massive OS fingerprint update from Zhao Lei
+  (zhaolei(a)gmail.com).  About 350 fingerprints were added, and many
+  more were updated.  Notable additions include Mac OS X 10.4 (Tiger),
+  OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
+  with a new "robotic pet" device type category), the latest Linux 2.6
+  kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
+  UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
+  3.8.X, and Solaris 10.  Of course there are also tons of new
+  broadband routers, printers, WAPs and pretty much any other device
+  you can coax an ethernet cable (or wireless card) into!
+
+o Added the ability for Nmap to send and properly route raw ethernet
+  packets cointaining IP datagrams rather than always sending the
+  packets via raw sockets. This is particularly useful for Windows,
+  since Microsoft has disabled raw socket support in XP for no good
+  reason.  Nmap tries to choose the best method at runtime based on
+  platform, though you can override it with the new --send-eth and
+  --send-ip options.
+
 o Added ARP ping (-PR). Nmap can now send raw ethernet ARP requests to
   determine whether hosts on a LAN are up, rather than relying on
   higher-level IP packets (which can only be sent after a successful ARP
diff --git a/Makefile.in b/Makefile.in
index dbf3bae84..d94ad8e77 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-export NMAP_VERSION = 3.83.SOC1
+export NMAP_VERSION = 3.83.SOC2
 NMAP_NAME= nmap
 NMAP_URL= http://www.insecure.org/nmap/
 NMAP_PLATFORM=@host@
diff --git a/docs/nmap.1 b/docs/nmap.1
index 85c2c43a7..856296fce 100644
--- a/docs/nmap.1
+++ b/docs/nmap.1
@@ -491,6 +491,19 @@ record) or as a literal IP address such as
 and TCP connect() Ping scan are supported.  If you need UDP or other
 scan types, have a look at http://nmap6.sourceforge.net/ .
 .TP
+.B \--send-eth
+Asks Nmap to send packets at the raw ethernet (data link) layer rather
+than the higher IP (network) layer.  By default, Nmap chooses the one
+which is generally best for the platform it is running on.  Raw
+sockets (IP layer) are generally most efficient for UNIX machines,
+while ethernet frames work best on the many Windows versions where
+Microsoft has disabled raw sockets support.  Nmap still uses raw IP
+packets when there is no other choice (such as non-ethernet
+connections).
+.B --send-ip
+Asks Nmap to send packets via raw IP sockets rather than sending lower
+level ethernet frames.  It is the complement to the --send-eth
+option.discussed previously.
 .B \-f
 This option causes the requested scan (including ping scans) to use
 tiny fragmented IP packets.  The idea is to split up the TCP header
diff --git a/nmap-os-fingerprints b/nmap-os-fingerprints
index 39fc87f68..8310039d5 100644
--- a/nmap-os-fingerprints
+++ b/nmap-os-fingerprints
@@ -1204,6 +1204,18 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(Resp=N)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
 
+Fingerprint Apple Mac OS X 10.3.3 (Panther)
+Class Apple | Mac OS X | 10.3.X | general purpose
+TSeq(Class=TR%gcd=<6%IPID=I%TS=2HZ)
+T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=N)
+T3(Resp=N)
+T4(DF=Y%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=Y%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=Y%W=0%ACK=S%Flags=AR%Ops=)
+PU(DF=Y%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
+
 # Apple Mac OS 10.3.5 (Darwin Kernel Version 7.5.0)
 # Mac OS 10.3.7 Server, Darwain, PPC. Kernel version 7.70. All relevant updates as of 2/2/05
 Fingerprint Apple Mac OS X 10.3.5 or 10.3.7
@@ -1218,18 +1230,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
 
-Fingerprint Apple Mac OS X 10.3.3 (Panther)
-Class Apple | Mac OS X | 10.3.X | general purpose
-TSeq(Class=TR%gcd=<6%IPID=I%TS=2HZ)
-T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=N)
-T3(Resp=N)
-T4(DF=Y%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=Y%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=Y%W=0%ACK=S%Flags=AR%Ops=)
-PU(DF=Y%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
-
 # Darwin 7.7.0 Power Macintosh powerpc, OS X, version 10.3.7
 # Apple Mac OS X 10.3.6 (7R28) -  (Darwin 7.6.0)
 Fingerprint Apple Mac OS X 10.3.6 or 10.3.7
@@ -6103,6 +6103,19 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
+# Digital OpenVMS Alpha 7.2
+Fingerprint DEC OpenVMS 7.2 Alpha
+Class DEC | OpenVMS | 7.X | general purpose
+TSeq(Class=64K%IPID=I%TS=U)
+T1(DF=N%W=C6C%ACK=S++%Flags=AS%Ops=MNW)
+T2(Resp=N)
+T3(Resp=Y%DF=N%W=C6C%ACK=O%Flags=A%Ops=)
+T4(DF=N%W=BB8%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
+
 # The OS was running on a GS1280 Alpha server
 Fingerprint DEC OpenVMS 7.3
 Class DEC | OpenVMS | 7.X | general purpose
@@ -6261,19 +6274,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
 PU(DF=Y%TOS=0%IPLEN=38%RIPTL=148%RID=F%RIPCK=0%UCK=0%ULEN=134%DAT=E)
 
-# Digital OpenVMS Alpha 7.2
-Fingerprint DEC OpenVMS 7.2 Alpha
-Class DEC | OpenVMS | 7.X | general purpose
-TSeq(Class=64K%IPID=I%TS=U)
-T1(DF=N%W=C6C%ACK=S++%Flags=AS%Ops=MNW)
-T2(Resp=N)
-T3(Resp=Y%DF=N%W=C6C%ACK=O%Flags=A%Ops=)
-T4(DF=N%W=BB8%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
-
 Fingerprint DEC TOPS-20 Monitor 7(102540)-1,TD-1
 Class DEC | TOPS-20 || general purpose
 TSeq(Class=TD%gcd=30000|60000|90000%SI=<BB)
@@ -9104,18 +9104,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(Resp=N)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=E%RIPCK=E%UCK=0%ULEN=134%DAT=E)
 
-Fingerprint IBM AIX 5.3 ML01
-Class IBM | AIX | 5.X | general purpose
-TSeq(Class=TR%gcd=<6%IPID=RPI%TS=U)
-T1(DF=Y%W=5B4%ACK=S++%Flags=AS%Ops=M)
-T2(Resp=N)
-T3(Resp=Y%DF=Y%W=5B4%ACK=S++%Flags=AS%Ops=M)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=E%RIPCK=F%UCK=0%ULEN=134%DAT=E)
-
 Fingerprint IBM AIX 5.1
 Class IBM | AIX | 5.X | general purpose
 TSeq(Class=TR%gcd=<6%IPID=I%TS=U)
@@ -9286,6 +9274,18 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=E%RIPCK=F%UCK=0%ULEN=134%DAT=E)
 
+Fingerprint IBM AIX 5.3 ML01
+Class IBM | AIX | 5.X | general purpose
+TSeq(Class=TR%gcd=<6%IPID=RPI%TS=U)
+T1(DF=Y%W=5B4%ACK=S++%Flags=AS%Ops=M)
+T2(Resp=N)
+T3(Resp=Y%DF=Y%W=5B4%ACK=S++%Flags=AS%Ops=M)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=15C%RID=E%RIPCK=F%UCK=0%ULEN=134%DAT=E)
+
 Fingerprint IBM 8222 hub
 Class IBM | embedded || hub
 TSeq(Class=TD%gcd=<6%SI=<1A4%IPID=I%TS=U)
@@ -13682,6 +13682,20 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
+# Windows 5.2 (Build 3790.srv03_sp1_rtm.050324-1447 : Service Pack 1)
+# Windows Server 2003 SP1 all patches as of June-23-05
+Fingerprint Microsoft Windows 2003 Server SP1
+Class Microsoft | Windows | 2003/.NET | general purpose
+TSeq(Class=TR%gcd=<6%IPID=I)
+T1(DF=N%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=N%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
 Fingerprint Microsoft Windows 2003 Server Standard Edition
 Class Microsoft | Windows | 2003/.NET | general purpose
 TSeq(Class=TR%gcd=<6%IPID=I)
@@ -13719,6 +13733,18 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
 PU(Resp=N)
 
+Fingerprint Microsoft Windows 2003 Server Standart Edition SP1
+Class Microsoft | Windows | 2003/.NET | general purpose
+TSeq(Class=TR%gcd=<6%IPID=I)
+T1(DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+PU(DF=N%TOS=5C%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
 # Windows 2003 standard edition version 5.2 build 3790.srv03_rtm.030324-2048 and lastest windows updates patches as november 9, 2004
 Fingerprint Microsoft Windows 2003 standard edition
 Class Microsoft | Windows | 2003/.NET | general purpose
@@ -13757,32 +13783,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
 PU(DF=N%TOS=10%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
-# Windows 5.2 (Build 3790.srv03_sp1_rtm.050324-1447 : Service Pack 1)
-# Windows Server 2003 SP1 all patches as of June-23-05
-Fingerprint Microsoft Windows 2003 Server SP1
-Class Microsoft | Windows | 2003/.NET | general purpose
-TSeq(Class=TR%gcd=<6%IPID=I)
-T1(DF=N%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=N%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-Fingerprint Microsoft Windows 2003 Server Standart Edition SP1
-Class Microsoft | Windows | 2003/.NET | general purpose
-TSeq(Class=TR%gcd=<6%IPID=I)
-T1(DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=N%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-PU(DF=N%TOS=5C%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
 Fingerprint Microsoft Windows 3.1 with Trumpet Winsock 2.0 revision B
 Class Microsoft | Windows | 3.X | general purpose
 TSeq(Class=TD%gcd=10000%SI=<FF)
@@ -13923,6 +13923,19 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
+# Windows 98 SE, no service packs, on AMD Sempron 2.4 GHz
+Fingerprint Microsoft Windows 98 SE
+Class Microsoft | Windows | 95/98/ME | general purpose
+TSeq(Class=RI%gcd=<6%SI=<1AA4&>D%IPID=RPI%TS=U)
+T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
 Fingerprint Microsoft Windows 98 SP1
 Class Microsoft | Windows | 95/98/ME | general purpose
 TSeq(Class=TD%gcd=<5%SI=<20)
@@ -14000,6 +14013,20 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
+# Windows 98SE + unoffical service pack 1.6.1 (includes all cumulative patches and hotfixes)
+#                (http://exuberant.ms11.net/98sesp.html)
+Fingerprint Microsoft Windows 98SE
+Class Microsoft | Windows | 95/98/ME | general purpose
+TSeq(Class=TD%gcd=<E2%SI=<1E%IPID=RPI%TS=U)
+T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
 Fingerprint Microsoft Windows 98SE + IE5.5sp1
 Class Microsoft | Windows | 95/98/ME | general purpose
 T1(DF=N%W=2DA0%ACK=S++%Flags=AS%Ops=M)
@@ -14132,46 +14159,6 @@ T6(DF=N%W=0%ACK=S++|O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++|S%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E|F%ULEN=134%DAT=E)
 
-# Windows 98 SE, no service packs, on AMD Sempron 2.4 GHz
-Fingerprint Microsoft Windows 98 SE
-Class Microsoft | Windows | 95/98/ME | general purpose
-TSeq(Class=RI%gcd=<6%SI=<1AA4&>D%IPID=RPI%TS=U)
-T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-# Windows 98SE + unoffical service pack 1.6.1 (includes all cumulative patches and hotfixes)
-#                (http://exuberant.ms11.net/98sesp.html)
-Fingerprint Microsoft Windows 98SE
-Class Microsoft | Windows | 95/98/ME | general purpose
-TSeq(Class=TD%gcd=<E2%SI=<1E%IPID=RPI%TS=U)
-T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-# Microaodr Windows XP Professional with SP! and latest Windows Update patches as of June 1, 2005
-Fingerprint Microsoft Windows XP Pro SP1
-Class Microsoft | Windows | NT/2K/XP | general purpose
-TSeq(Class=TR%gcd=<6%IPID=I%TS=U)
-T1(DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNW)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNW)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
 # Microsoft Windows XP Professional (English) w/ SP2 (Build 2600.xpsp_sp2_rtm.040803-2158 : Service Pack 2)
 # Widows XP Professional (English UK) w/SP2 - latest patches as of 20 Dec 2004 - build 2600.xpsp_sp2_rtm.040803-2158
 # Microsoft Windows XP Home (French) w/SP2 build 2600.xpsp_sp2_rtm.040803-2158
@@ -14250,6 +14237,19 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
 PU(DF=N%TOS=80%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E)
 
+# Windows 2000 Advanced Server Version 5.0 (Build 2195: Service Pack 4)
+Fingerprint Microsoft Windows 2000 AS SP4
+Class Microsoft | Windows | NT/2K/XP | general purpose
+TSeq(Class=TR%gcd=<6%IPID=I)
+T1(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=Y%DF=N%W=800|400%ACK=S%Flags=AR%Ops=WNMETL)
+T3(Resp=Y%DF=N%W=C00|800%ACK=S++%Flags=AR%Ops=WNMETL)
+T4(DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=400|800|C00%ACK=S%Flags=AR%Ops=WNMETL)
+T7(DF=N%W=1000|C00%ACK=S++%Flags=AR%Ops=WNMETL)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E)
+
 Fingerprint Microsoft Windows 2000 Pro
 Class Microsoft | Windows | NT/2K/XP | general purpose
 TSeq(Class=RI%gcd=<6%SI=<1C476&>472)
@@ -14471,6 +14471,19 @@ T6(DF=N%W=1000|800%ACK=S%Flags=AR%Ops=WNMETL)
 T7(DF=N%W=C00|800%ACK=S++%Flags=AR%Ops=WNMETL)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E|F%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
+# Windows 2000 server SP4 with all current patches april 9th 2005
+Fingerprint Microsoft Windows 2000 server SP4
+Class Microsoft | Windows | NT/2K/XP | general purpose
+TSeq(Class=RI%gcd=<6%SI=<1C3B8&>157%IPID=I)
+T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T4(DF=N%W=0%ACK=S%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=S%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
 # Windows 2003 Standard build 3790
 # Microsoft Windows 2003/.NET Standard Edition
 # Windows 2000 Server with SP4 fully patched as of 10/8/04
@@ -14809,6 +14822,45 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
+# Fingerprint Windows 2000 build 5.00.2195 SP4
+Fingerprint Microsoft Windows 2000 SP4
+Class Microsoft | Windows | NT/2K/XP | general purpose
+TSeq(Class=RI%gcd=<8%SI=<78816&>95%IPID=I)
+T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=N)
+T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
+T6(Resp=N)
+T7(Resp=N)
+PU(DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
+# Windows 2000 Version 5.0 Build 2195 SP 4 X86
+Fingerprint Microsoft Windows 2000 SP4
+Class Microsoft | Windows | NT/2K/XP | general purpose
+TSeq(Class=TR%gcd=<6%IPID=I)
+T1(DF=Y%W=4204|FFAF%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=Y%W=4204|FFAF%ACK=S++%Flags=AS%Ops=MNWNNT)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
+# Windows Version 5.0 build 2195 SP 4
+Fingerprint Microsoft Windows 2000 SP4
+Class Microsoft | Windows | NT/2K/XP | general purpose
+TSeq(Class=TR%gcd=<6%IPID=I)
+T1(DF=Y%W=7FFF|832C|FA00%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=Y%W=7FFF|832C|FA00%ACK=S++|O%Flags=AS|A%Ops=MNWNNT|NNT)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
 # Microsoft Windows 2000 SP4 and latest Windows Update patches as of Sept 26, 2003 running BlackICE
 # Microsoft Windows XP Pro with SP1 and latest Windows Update patches as of September 01, 2003
 Fingerprint Microsoft Windows 2000 SP4 or Windows XP SP1
@@ -14962,6 +15014,20 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
+# Windows NT 4.0 Service pack 6 w/exchange 5.5
+# Microsoft Windows NT 4.0 service pack 6 (English)
+Fingerprint Microsoft Windows NT 4.0 SP6
+Class Microsoft | Windows | NT/2K/XP | general purpose
+TSeq(Class=RI%gcd=<8%SI=<1F9C8&>FA%IPID=BI|RPI|RD%TS=U)
+T1(DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
+T2(Resp=N)
+T3(Resp=N)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(Resp=N)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
 # Microsoft Windows NT4.0 Workstation SP6a
 # Windows NT4.0 with Service Pack 6
 # Microsoft Windows NT4.0 Terminal Server Edition with Service Pack 6 and Citrix MetaFrame 1.8 with Service Pack 4
@@ -15245,6 +15311,32 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(Resp=N)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
+# Windows XP Professionnel (5.1) Service Pack 2
+Fingerprint Microsoft Windows XP Pro SP 2
+Class Microsoft | Windows | NT/2K/XP | general purpose
+TSeq(Class=TR%gcd=<6%IPID=I)
+T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
+T2(Resp=Y%DF=N%W=C00|800|400%ACK=S%Flags=AR%Ops=WNMETL)
+T3(Resp=Y%DF=N%W=C00|800|400%ACK=S++%Flags=AR%Ops=WNMETL)
+T4(DF=N%W=400|1000%ACK=S%Flags=AR%Ops=WNMETL)
+T5(DF=N%W=C00%ACK=S++%Flags=AR%Ops=WNMETL)
+T6(DF=N%W=800|400%ACK=S%Flags=AR%Ops=WNMETL)
+T7(DF=N%W=400|800%ACK=S++%Flags=AR%Ops=WNMETL)
+PU(Resp=N)
+
+# Microaodr Windows XP Professional with SP! and latest Windows Update patches as of June 1, 2005
+Fingerprint Microsoft Windows XP Pro SP1
+Class Microsoft | Windows | NT/2K/XP | general purpose
+TSeq(Class=TR%gcd=<6%IPID=I%TS=U)
+T1(DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNW)
+T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
+T3(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNW)
+T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
+T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
+PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
+
 # bsed on msg 2236, 1304
 # Microsoft R Windows Version 5.1 (Build 2600.xpsp2.040919-1003 : Service Pack 1)
 # MS Windows XP version 5.1 (no. 2600 xpsp2.040919-1003: Service Pack 1)
@@ -15805,98 +15897,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(Resp=N)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
 
-# Windows 2000 Advanced Server Version 5.0 (Build 2195: Service Pack 4)
-Fingerprint Microsoft Windows 2000 AS SP4
-Class Microsoft | Windows | NT/2K/XP | general purpose
-TSeq(Class=TR%gcd=<6%IPID=I)
-T1(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=Y%DF=N%W=800|400%ACK=S%Flags=AR%Ops=WNMETL)
-T3(Resp=Y%DF=N%W=C00|800%ACK=S++%Flags=AR%Ops=WNMETL)
-T4(DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=400|800|C00%ACK=S%Flags=AR%Ops=WNMETL)
-T7(DF=N%W=1000|C00%ACK=S++%Flags=AR%Ops=WNMETL)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E)
-
-# Windows 2000 server SP4 with all current patches april 9th 2005
-Fingerprint Microsoft Windows 2000 server SP4
-Class Microsoft | Windows | NT/2K/XP | general purpose
-TSeq(Class=RI%gcd=<6%SI=<1C3B8&>157%IPID=I)
-T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T4(DF=N%W=0%ACK=S%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=S%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-# Fingerprint Windows 2000 build 5.00.2195 SP4
-Fingerprint Microsoft Windows 2000 SP4
-Class Microsoft | Windows | NT/2K/XP | general purpose
-TSeq(Class=RI%gcd=<8%SI=<78816&>95%IPID=I)
-T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=N)
-T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
-T6(Resp=N)
-T7(Resp=N)
-PU(DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-# Windows 2000 Version 5.0 Build 2195 SP 4 X86
-Fingerprint Microsoft Windows 2000 SP4
-Class Microsoft | Windows | NT/2K/XP | general purpose
-TSeq(Class=TR%gcd=<6%IPID=I)
-T1(DF=Y%W=4204|FFAF%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=Y%W=4204|FFAF%ACK=S++%Flags=AS%Ops=MNWNNT)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-# Windows Version 5.0 build 2195 SP 4
-Fingerprint Microsoft Windows 2000 SP4
-Class Microsoft | Windows | NT/2K/XP | general purpose
-TSeq(Class=TR%gcd=<6%IPID=I)
-T1(DF=Y%W=7FFF|832C|FA00%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
-T3(Resp=Y%DF=Y%W=7FFF|832C|FA00%ACK=S++|O%Flags=AS|A%Ops=MNWNNT|NNT)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-# Windows NT 4.0 Service pack 6 w/exchange 5.5
-# Microsoft Windows NT 4.0 service pack 6 (English)
-Fingerprint Microsoft Windows NT 4.0 SP6
-Class Microsoft | Windows | NT/2K/XP | general purpose
-TSeq(Class=RI%gcd=<8%SI=<1F9C8&>FA%IPID=BI|RPI|RD%TS=U)
-T1(DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
-T2(Resp=N)
-T3(Resp=N)
-T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
-T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
-T7(Resp=N)
-PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
-
-# Windows XP Professionnel (5.1) Service Pack 2
-Fingerprint Microsoft Windows XP Pro SP 2
-Class Microsoft | Windows | NT/2K/XP | general purpose
-TSeq(Class=TR%gcd=<6%IPID=I)
-T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
-T2(Resp=Y%DF=N%W=C00|800|400%ACK=S%Flags=AR%Ops=WNMETL)
-T3(Resp=Y%DF=N%W=C00|800|400%ACK=S++%Flags=AR%Ops=WNMETL)
-T4(DF=N%W=400|1000%ACK=S%Flags=AR%Ops=WNMETL)
-T5(DF=N%W=C00%ACK=S++%Flags=AR%Ops=WNMETL)
-T6(DF=N%W=800|400%ACK=S%Flags=AR%Ops=WNMETL)
-T7(DF=N%W=400|800%ACK=S++%Flags=AR%Ops=WNMETL)
-PU(Resp=N)
-
 # HP Jornada running Windows CE 2.11 (Handheld/PC Pro 3.0) running on StrongARM 1100
 Fingerprint HP Jornada running Microsoft Windows CE 2.11 (Handheld/PC Pro 3.0 PDA)
 Class Microsoft | Windows | PocketPC/CE | PDA
diff --git a/portlist.cc b/portlist.cc
index d27abf108..98ecdea95 100644
--- a/portlist.cc
+++ b/portlist.cc
@@ -623,7 +623,7 @@ if (afterthisport) {
    printf("Next Port After %d, %d\n", afterthisport->portno, iter->second->portno); fflush(0);
 */
 
- if (!allow_portzero && iter->second->portno == 0) iter++;
+ if (!allow_portzero && iter->second && iter->second->portno == 0) iter++;
  
 
 /* First we look for TCP ports ... */
diff --git a/scan_engine.cc b/scan_engine.cc
index b20dfedbe..18f67d3aa 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -1281,7 +1281,7 @@ static int get_next_target_probe(UltraScanInfo *USI, HostScanStats *hss,
       return -1;
     pspec->type = probespec::PS_UDP;
 
-    pspec->portno = USI->ports->tcp_ports[hss->next_portidx++];
+    pspec->portno = USI->ports->udp_ports[hss->next_portidx++];
 
     return 0;
   } else if (USI->prot_scan) {
diff --git a/tcpip.cc b/tcpip.cc
index 675d0dce5..73b61f15a 100644
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -958,7 +958,8 @@ int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetl
  * Minimal MTU for IPv4 is 68 and maximal IPv4 header size is 60
  * which gives us a right to cut TCP header after 8th byte
  * (shouldn't we inflate the header to 60 bytes too?) */
-int send_frag_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetlen, unsigned int mtu)
+int send_frag_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, 
+			unsigned int packetlen, unsigned int mtu)
 {
     struct ip *ip = (struct ip *) packet;
     int headerlen = ip->ip_hl * 4; // better than sizeof(struct ip)