# Nmap Changelog ($Id: CHANGELOG,v 1.93 2002/02/15 07:03:03 fyodor Exp $)

Nmap 2.54BETA31

o Added ICMP Timestamp and Netmask ping types (-PP and -PM).  These
  (especially timestamp) can be useful against some hosts that do not
  respond to normal ping (-PI) packets.

o Documented the --data_length option and made it work with all the
  ICMP ping types (echo request, netmask, and timestamp).

o Added check for strings.h before including it in portlist.c .  This
  fixes a compilation problem on some versions of Windows.  Problem
  first noted by "Michael Vorin" <mvorin@hotmail.com>

o Applied patch from Andy Lutomirski (Luto@myrealbox.com) which fixes
  a crash on some Windows platforms when timeouts occur.

o Fixed "grepable output" (-oG) so that it prints IPID sequence class
  rather than printing the TCP ISN sequence index twice.  Problem
  noted by Russell Fulton (r.fulton@auckland.ac.nz)

o Added mysterious, undocumented --scanflags option.

o Applied patch from Andy Lutomirski (Luto@myrealbox.com) which fixes
  some important Windows bugs.  Apparently this can cause a dramatic
  speedup in some circumstances.  The patch had other misc. changes
  too.

o Fix bug noted by Chris V (iselldrugstokidsonline@yahoo.com) in which
  Nmap could segmentation fault with the (bogus) command: './nmap -sO
  -p 1-65535 hostname' (protocol only can go up to 255).  That being
  said, Nmap should never segfault just because of bogus options.

o Fixed problem noted by Maximiliano (emax25@arnet.com.ar) where Nmap
  would get stuck in a (nearly) infinate loop when you try to "resume"
  an random host (-iR) scan.

o Included a number of fingerprint updates, but I still have many more
  web submissions to go through.  Also made some nmap-services
  portlist updates.

o Included a bunch of fixes (mostly to prevent compiler warnings) from
  William McVey (wam@cisco.com)

Nmap 2.54BETA30

o Added a Document Type Definition (DTD) for the Nmap XML output
   format (-oX) to the docs directory.  This allows validating parsers
   to check nmap XML output files for correctness.  It is also useful
   for application programmers to understand the XML output structure.
   The DTD was written by William McVey (wam@cisco.com) of Cisco Secure 
   Consulting Services ( http://www.cisco.com/go/securityconsulting ).

o Merged in a number of Windows fixes/updates from Andy Lutomirski
  (Luto@myrealbox.com)

o Merged in fixes/updates (mostly to the Windows functionality) from
  Matt Hargett (matt@use.net)

o Applied patch by Colin Phipps (cph@netcraft.com) which correctly
  encodes special characters in the XML output.

o Applied patch by William McVey (wam@cisco.com) which adds the uptime
  information printed with -O to the XML output format.

o Fixed byte-order bug in Windows packet matching code which caused
  -PS and -PT to fail.  Bug found and patch sent by Tim Adam
  (tma@osa.com.au)

o Fixed segfault problem with "-sU -F".  Nobody reported this until I
  noticed it :(.  Anytime you see "Segmentation Fault" in the latest
  version of Nmap, it is probably a bug -- please mail me the command
  you used, the OS/platform you are running on, and whether it is
  reproducable.

o Added a convenience option "-oA (basefilename)".  This tells Nmap to
  log in ALL the major formats (normal, grepable, and XML).  You give
  a base for the filename, and the output files will be base.nmap,
  base.gnmap, and base.xml.

o Documented the --append_output option which tells Nmap to append
  scan results to any output files you have specified rather than
  overwriting the files.

o Integrate TIMEVAL_SEC_SUBTRACT() fix by Scott Renfro (scott@renfro.org)
  which improves timing accuracy.

** 2.54BETA29

o Integrated William McVey's multi-portlist patch.  This allows you to
  specify different port numbers when scanning both TCP & UDP.  For
  example, if you want to UDP for 53,111 and 137 while TCP scanning
  for 21-25,80,139,515,6000,8080 you could do: nmap -sSU -p
  U:53,111,137,T:21-25,80,139,515,6000,8080 target.com .  Prior to
  this patch, you had to either use different Nmap executions or scan
  both UDP & TCP of each port.  See the man page for more usage info.

o Added/updated a bunch of fingerprints, including Windows XP release
  candidates #1 & #2, OpenBSD 2.9, various home gateways/cable modem,
  MacOS X 10.0.4, Linux 2.4.7, Guantlet Firewall 4.0a, a few Cisco
  routers, and, most importantly, the Alcatel Advanced Reflexes IP
  Phone :).  Many other fingerprints were updated as well.

o Found and fixed some relatively major memory leaks based on reports
  sent in by H D Moore (hdm@secureaustin.com), mugz
  (mugz@x-mafia.org), and Steven Van Acker (deepstar@ulyssis.org)

o Applied patch from Chad Loder (chad_loder@rapid7.com) which improves
  random target host selection (-iR) by excluding more undesirable
  addresses.

o Fixed portscan timing bug found by H D Moore (hdm@secureaustin.com).
  This bug can occur when you specify a --max_rtt_timeout but not
  --initial_rtt_timeout and then scan certain firewalled hosts.

o Fixed port number printing bug found by "Stephen Leavitt"
  <stephen_j_leavitt@hotmail.com>

o The Nmap source tarball now extracts with more lenient permissions
  (sometimes world-readable or world-executable, but never
  world-writable).  If you don't want this, set your umask to 077
  (which is what I do).  Suggested by Line Printer (lps@rahul.net)

** 2.54BETA28

o I hope that I have fixed the Libpcap "Unknown datalink type" problem that
  many people reported.  If you still receive this error, please send
  me the following info:
  1) Full output of Nmap including the command you typed
  2) What OS/OS version you are using
  3) What type of interface is the scan going through (PPP, ISDN, ethernet,
     PPPoE, etc)
  4) Whether you compiled from source or used the RPM version

o Hopefully fixed Libpcap lex/yacc generated file problem that
  plagued a few folks.

o Various minor fixes/changes/updates

** 2.54BETA27

o Fixed bug that caused "adding open port" messages to be printed even
  when verbose mode was not specified. (patch sent by Doug Hoyte (
  dugely@yahoo.com ).

o Fixed bug in zombie:port option parsing in Idlescan as well a few
  other bugs in patch sent by Germano Caronni (gec@acm.org)

o Fixed Windows compilation (I broke it when I added Idlescan).

o Fixed a (Win32 only) port identification bug which would cause some
  ports to be listed as "unknown" even when Nmap should know their
  name.  This was found at patched by David Griffiths
  (davidg@intrinsica.co.uk).

o Fixed more nmap-os-fingerprints syntax/grammar violations found by
  Raymond Mercier of VIGILANTe

o Fixed a memory leak in Nbase str*casecmp() functions by applying
  patch sent by Matt (matt@use.net).  I plan to kill this whole
  strcasecmp.c file as soon as possible (it is a mess).

** 2.54BETA26

o Added Idlescan (IPID blind scan).  The usage syntax is 
  "-sI <zombie>".

o Fixed a bunch of fingerprints that were corrupt due to violations of
  the fingerprint syntax/grammar (problems were found by Raymond
  Mercier of VIGILANTe )

o Fixed command-line option parsing bug found 
  by "m r rao" (mrrao@del3.vsnl.net.in )

o Fixed an OS fingerprinting bug that caused many extra packets to be
  sent if you request a lot of decoys.

o Added some debug code to help diagnose the "Unknown datalink type"
  error.  If Nmap is giving you this error, please send the following
  info to fyodor@insecure.org : 1) The full output from Nmap
  (including the command arguments) 2) What OS and OS version are you
  using 3) What type of adaptor are you using (modem, ethernet, FDDI,
  etc)

o Added a bunch of IDS sensor/console/agent port numbers from
  Patrick Mueller (pmueller@neohapsis.com)

** 2.54BETA25

o Added a whole bunch of new OS fingerprints (and adjustments) ranging
  from big important ones (Linux 2.4.X, OpenBSD 2.9, FreeBSD 4.3,
  Cisco 12.2.1, MacOS X, etc) to some that are more obscure ( such as
  Apple Color LaserWriter 12/660 PS and VirtualAccess LinxpeedPro 120 )

o Upgraded Libpcap to the latest version (0.6.2) from tcpdump.org.  I
  modified the build system slightly by shipping pre-generated
  scanner.c/grammer.c (instead of using lex/yacc) and I also upgraded
  to the newest config.sub/config.guess .

o Fixed some issues with the new Libpcap under Linux (patches will be
  sent to the developers).

o Added "All zeros" IP.ID sequence classification to account for the
  new Linux 2.4 scheme which seems to use 0 whenever the DF bit is set
  (probably a good idea).

o Tweaked TCP Timestamp and IP.ID sequence classification algorithms

** 2.54BETA24

o Fixed compilation problems on MacOS X publis release.  Thanks to
  Nicolas Dawson (nizcolas@myrealbox.com) for securing an account for
  me.

o On the suggestion of the ever-helpful LaMont Jones (lamont@hp.com),
  I obtained the newest config.guess/config.sub from
  http://subversions.gnu.org/cgi-bin/cvsweb/config and made
  libpcap/nbase use symlinks rather than copeis of the file

o Applied patch from LaMont Jones (lamont@hp.com) which makes Nmap
  compatable with gcc 3.0 (apparently printf() is a macro in that
  version)

o Applied patch from Colin Phipps (cph@netcraft.com) which fixes a
  problem that kept UDP RPC scanning from working unless you were also
  doing a TCP scan.

o Applied a patch from Chris Eagle (cseagle@redshift.com) which fixes
  Windows compilation (I broke it with a recent change).

o Updated Lithuanian translation of man page based on a newer version sent 
  by Aurimas Mikalauskas (inner@crazy.lt)

o Killed carriage returns in nmap.c and nmapfe.c, which caused
  problems for some (SGI) compilers.  Problem noted by Artur
  Niederstebruch (artur@sgi.com)

o Updated to latest version of rpc program number list, maintained by
  Eilon Gishri (eilon@aristo.tau.ac.il)

o Fixed a quoting bug in the Nmap man page found by 
  Rasmus Andersson <rasmus@pole-position.org>

o Applied RPM spec file changes from "Benjamin Reed"
  (ranger@befunk.com) which allows you to avoid building the frontend
  by adding "--define frontend 0" to the build command (eg --rebuild,
  --ba, etc).

** 2.54BETA22

-- Eliminated usage of u_int32_t (was causing compilation errors on
   some Sun and HP boxes).  Problem first noted by Nick Munger
   (nmunger@Oswego.EDU) and Ralf Hildebrandt
   (Ralf.Hildebrandt@innominate.com) and Antonin Sprinzl
   (Antonin.Sprinzl@tuwien.ac.at)

-- Defined integer-width typedefs such as u32/s32/u16/etc. in Nbase.
   Went through much of the Nmap code and substituted these in where
   correct lengths are important (port numbers, IP addresses, etc).

** 2.54BETA21

-- Cleaned up a few build/distribution issues that were reported 
   by LaMont Jones (lamont@hp.com) 

-- Fixed compiler warning noted by Gabor Z. Papp (gzp@papp.hu) )

** 2.54BETA20 

-- Added TCP Timestamp sequence checking for OS detection and
   Netcraft-style uptime tests.

-- Found and fixed (I hope) byte alignment problem which was causing
   bus errors on SPARC64 ( reported by H D Moore (hdm@secureaustin.com)
   and Matthew Franz (mfranz@cisco.com) )

-- Apple Darwin (Mac OS X) 1.2 portability patch from 
   Rob Braun <bbraun@synack.net>

-- Added IPID sequence number predictability report (also now used in
   OS detection).

-- Show actual IPID, TCP ISN, and TCP timestamp values in XML format
   output rather than just the cooked results.

-- Suppress IPID and TCP ISN predictability report unless you use -v
   (you need -O as well).

-- Applied Solaris 8 compilation fixes from Germano Caronni 
   ( gec@acm.org )

-- Applied configure.in variable name typo fixes from Christian
   Weisgerber (naddy@openbsd.org)

-- Applied some more changes from Andy Lutomirski (Luto@mailandnews.com)
   which provides better detection and reporting from some heinous errors.

-- Added -n and -R (always/never DNS resolve) options to the man page.

** 2.54BETA19

-- I ported NmapFE to Windows so that Win32 users can use the
   graphical interface.  It generally works, although I haven't tested
   much.  Patches welcome!

-- Various little fixes and cleanups, especially to the Windows port.

-- Applied patch from Andy Lutomirski (Luto@mailandnews.com) which
   enhances some of the Win* error messages and adds the --win_trace
   debugging option.

-- Applied some patches from Jay Freeman (saurik@saurik.com)
   -- New --data_length option adds indicated number of random data
   bytes to send with scan packet and tcp ping packet (does not
   currently work with ICMP ping packet).  Does not affect OS
   detection, RPC, or connect() scan packets.
   -- Windows portability fixes
   -- Various other little fixes.

-- Renamed rpc.h and error.h because they conflict with Windows
   include files.  By the way, this was a pain to figure out because
   VC++ is such a crappy compiler!  It basically just says problem in
   "foobar.h" without giving you any idea how foobar.h got included!
   gcc gives you a nice message tracing the chain of include files!

** 2.54BETA16

-- Upgraded to latest version of Winpcap ( 2.1-beta )

-- Merged in Windows port code from Ryan Permeh ( ryan@eeye.com) and
   Andy Lutomirski ( Luto@mailandnews.com ).

-- Took out C++ compiler test from nbase configure script.  It was
   inserted accidently, but I found it interesting that only 2 people
   complained about this causing them problems.  I guess most everyone
   already has C++ compilers.

-- Applied patch from Steve Bleazard (steve@bleazard.com) which fixed
   bug in internal Smoothed Round Trim Time calculations.

-- Fixed CFLAGS computation error in configure.  Problem discovered
   and patched by Fredrik Lundholm (exce7@ce.chalmers.se)

-- Added more debugging code for "Unknown datalink type" error -- if
   you get this, please send me the full error msg including hex values.

-- Added Portuguese man page translations from Antonio Pires de Castro
   Junior (apcastro@ic.unicamp.br).

-- Capitalized all references to God in error messages.

** Version 2.54BETA7

-- Applied patch from Hubert Feyrer
   (hubert.feyrer@informatik.fh-regensburg.de) which adds support for
   the new NetBSD DLT_PPP_* types.

-- Updated to Eilon Gishri's (eilon@aristo.tau.ac.il) newest version
   of nmap-rpc at ftp://ftp.tau.ac.il/pub/users/eilon/rpc/rpc

-- Moved a bunch of the scanning engine related functions to new files
   (scan_engine.c and scan_engine.h ).  Timing functions were moved to
   the new timing.c/timing.h .  Other stuff was shifted to
   tcpip.c/tcpip.h.  At some point, nmap.c will only contain the Nmap
   command line UI.

-- Updated Russian version of man page from Alex Volkov (topcat@nm.ru)

** Version 2.54BETA6

-- Added XML output (-oX).  Hopefully this will help those of you
   writing Nmap front ends and other tools that utilize Nmap.  The
   "machine-readable" output has been renamed "grepable" (-oG) to
   emphasize that XML is now the preferred machine-readable output
   format.  But don't worry if your tool uses -oM , that format (and
   the deprecated -oM flag) won't go away any time soon (if ever).

-- Applied patch from Stefan Rapp <s.rapp@hrz.uni-dortmund.de> which fixes
   a variable argument integer promotion problem in the new snprintf 
   compatability file.  This is important for Redhat 7 systems.

-- Reorganized output-related routines so that they now reside in
   output.c & output.h.  Let me know if I accidently screwed up the
   behavior of any scan types in the process.

** Version 2.54BETA5

-- Revamped the 'compatability libraries' subsystem.  Moved all of
   that to a new library called 'libnbase' and changed Nmap and NmapFE
   to use that.  I included a better version of *snprintf and some
   other compatability files.  Obviously I cannot test these changes
   on every whacked OS that needs this compatability cruft, so please
   let me know if you run into compilation problems.

-- Fixed a problem found by Martyn Tovey <martyn@netcraft.com> when
   using Nmap on platforms that dislike division by zero.

-- Removed 128.210.*.* addresses from Nmap man page due to complaints
   from Purdue security staff.

-- Fixed FreeBSD (some versions) compilation problem found by Martyn
   Tovey <martyn@netcraft.com>

** Version 2.54BETA4

-- Upgraded to the very latest Libpcap version ( the 9/3/00 CVS
   snapshot ).  This version is from the tcpdump.org group rather than
   the Lawrence Livermore crew.  The most important advantage is Linux
   Socket Filter support (so you won't have that annoying syslog
   message about Nmap using the obsolete SOCK_PACKET interface).

-- I tried to install Nmap on yet another machine without lex/yacc or
   flex/bison.  That was the last straw!  I am now shipping the
   generated C files, which eliminates the lex/yacc requirement.

-- Applied patch by Jay Freeman (saurik) <saurik@saurik.com> to make
   Nmap C++-clean (this was lot of tedious work!  Thanks!).  Note that
   Nmap still uses a normal C compiler by default, but Nmap
   derivatives may appreciate C++ compatability.  Note that this only
   applies to "Nmap proper", not libpcap.

-- Added a HACKING file for people who want to help with Nmap
   development.  It describes preferred patch formats, development
   resources, and offers a number of useful changes that would likely
   be accepted into the main tree.

-- Fixed a configure.in error found by Vacuum
   (vacuum@technotronic.com) which could cause compilation errors.

-- Fingerprint file adjustments for better Win* detection

-- Ensure libpcap is not configured and/or installed if you already
   have a "new enough" version (0.4a6+) installed.

-- Included Italian translation of Nmap man page from Giorgio Zoppi
   <deneb@supereva.it> .

-- Fixed a SYN scan problem that could cause a major slowdown on some
   busy networks.

-- Fixed a crash problem in NmapFE reported by sverre ( sverre@gmx.net )

-- Added an "SInfo" line to most printed fingerprints.  It looks
   similar to this: 
   SInfo(V=2.54BETA4%P=i686-pc-linux-gnu%D=9/4%Time=9681031%O=7%C=1)
   and contains information useful when fingerprints are reported
   (Nmap version/platform, scan date, and open/closed ports used)

-- Fixed RPCGrind (-sR) scan.  It has been almost completely broken
   since 2.54BETA2 (which has been out for two weeks) and nobody
   reported it!  I noticed the problem myself during testing of
   something else.  I am disappointed that nobody bothered to even let
   me know that this was broken.  Does anyone even use RPC Scan?

-- Various other small fixes/improvements

** Version 2.54BETA3

-- Went through and added/adjusted a bunch of fingerprints.  A lot of
   people submitted Windows Millenium Edition (WinME) beta
   fingerprints, but nobody submitted IPs for them.  So please let me
   know if this version detects your WinME boxes.

-- Applied NmapFE patch from Michael Fischer v. Mollard <mfvm@gmx.de>
   which made did the following:
    -- Added delete event so that NmapFE always quits when you kill it
       with your window manager
    -- added the menubar to the vbox instead to the fixed widget

-- Various small fixes/improvements

** Version 2.54BETA2

-- Added a shortcut which can make single port SYN scans of a network
   much faster.  For example, if a new sendmail vulnerability is
   found, this reduces the time it takes to scan your whole network
   for port 25.  This shortcut takes effect when you do "-PS<port> -sS
   -p<port>".  For example 'nmap -n -sS -p25 -PS25 24.0.0.0/8".  This
   optimization doubled the scan speed in a 30,000 IP test I performed.

-- Added -sL (List scan).  Just as ping scan (-sP) allows you to short
   circuit the scan right after pinging, -sL allows you to short
   circuit the scan right after target selection.  This allows you to
   see what hosts WOULD be scanned without actually doing it.  The
   hosts will be resolved unles you use -n.  Primary uses:
   1) Get all the IPs in a network (like A.B.C.D/16) and take out
      machines that are too fragile to be scanned safely before
      calling Nmap with the new list (using -iL).
   2) Test that a complex spec like 128.4,5,7-9.*.7 does what you
      expect before actual scanning.
   3) When all you want to do is resolve a bunch of IPs.
   4) You just want results of a zone transfer (if it is implemented).

-- Added some new fingerprints and adjusted some others based on
   submissions to the DB (I still have a lot more to go through so
   don't worry if your submission is still not detected).

-- Added a warning when you scan 0 hosts (eg "nmap -v").  There are
   various other output tweaks as well.

-- Insured that 0.0.0.0 can be scanned by nmap (although on some OSs, like
   Linux, it won't work due to what seem to be kernel bugs).  Oh
   well.  I'll look into it later.

** Version 2.54BETA1

-- Added an extremely cool scan type by Gerhard Rieger ( rieger at
   iue.tuwien.ac.at ) -- IP Protocol scanning.  Basically it sends a
   bunch of IP headers (no data) with different "protocol" fields to
   the host.  The host then (usually) sends back a protocol
   unreachable for those that it does not support.  By exclusion, nmap
   can make a list of those that are supported.  This is similar in
   concept to (and is implemented using most of the same scanning
   routines as) UDP scanning.  Note that some hosts do not send back
   protocol unreachables -- in that case all protocols will appear
   "open".

-- Fixed an uninitialized variable problem in NmapFE (found by Alvin
   Starr (alvin at iplink.net )

-- Fixed a packaging problem that lead to the Nmap man page being
   included twice in the .tgz .

-- Fixed dangling nroff include in xnmap man page (noted by Debian
   Nmap package maintainer LaMont Jones (lamont@security.hp.com)

-- Give a warning when no targets at all are specified

-- Updated 'make uninstall' so that it deletes all relevant files

-- Included latest nmap-rpc from Eilon Gishri (eilon at aristo.tau.ac.il)

-- Eliminated -I. from Nmap's and NmapFE's makefiles (suggested by
   "Jay Freeman (saurik)" (saurik at saurik.com)

-- Added Russian documentation by Alex Volkov

-- Added Lithuanian documentation from Aurimas Mikalauskas (inner at dammit.lt) 
** Version 2.53

-- Fixed a commenting issue that could cause trouble for non-GNU compilers
   (first found by Jan-Frode Myklebust (janfrode at parallab.uib.no))

-- A few new services to nmap-services

** Version 2.52

-- Added very simple man pages for xnmap/nmapfe (lack of man pages for
   these was noticed by LaMont Jones (lamont (at) hp.com), the Debian
   Nmap package maintainer, based on bug report by Adrian Bunk (bunk
   (at) fs.tum.de ).

-- Fixed a "Status: Down" machine name output problem in machine
   parseable logs found by Alek O. Komarnitsky ( alek (at) ast.lmco.com )

-- Took some wierd files out of the doc directory (cd, grep , vi, and
   .swp)

-- Fixed some typos found by Thomas Klausner ( wiz (at)
   danbala.ifoer.tuwien.ac.at )

-- Updated nmap-rpc with new entries found in the latest version of Eilon
   Gishri's rpc list.

** Version 2.51

-- Fixed target parsing bug found by Steve Horsburgh (shorsburgh (at)
   horsburgh.com).

-- Changed makefile/rpm to store fingerprint, rpc, and services file
   in $prefix/share/nmap rather than $prefix/lib/nmap , since these
   files are architecture independent.  You should now use 
   ./configure --datadir instead of ./configure --libdir to change 
   the default location.  Suggested by Thomas Klausner ( wiz (at)
   danbala.ifoer.tuwien.ac.at ).

-- I am now including Eilon Gishri's (eilon (at) aristo.tau.ac.il) rpc
   number list (which he recently merged with the Nmap 2.50 rpc list).

-- Included Spanish and French HTML versions of the Nmap man page (may
   not always be up to date).

** Version 2.50

-- Fixed an IP calculation error which could occur in some cases where
   you scan machines on different devices (like lo and eth0).  This
   problem was discoved by Jonathan Fine (jfine@psu.edu).

-- Fixed a problem that could, in rare cases, cause a SYN scan scan to
   crash (the error message was "attempt to add port number X with
   illegal state 0").  This problem was reported by Erik Benner
   (erik@xyzzy.net)

-- Changed the .spec file so that RPM versions create a xnmap link to
   nmapfe ( the normal make install has done this for a long time ).

** Version 2.3BETA21

-- A number of people reported problems with nmapfe in various
   environments (specifically gdk errors, hangs, and crashes).  I
   think that is now fixed.  Let me know if you still have the problem
   (make sure the title bar says BETA21).

-- Added a bunch of OS fingerprints based on all the contributions in
   the last month or so.

-- Fixed a bug that completely broke RPC scanning in BETA19.

-- Added list of ports scanned near the top of each machine log WHEN
   -v was specified.  Here is an example of the format:
   # Ports scanned: TCP(13;1-10,22,25) UDP(0;)
   The "13" above is the number of TCP ports being scanned.

-- Got rid of a snprintf() from nmapfe sine some systems don't have it
   :( and I'm to lazy to integrate in the snprintf that comes with
   nmap right now.

-- Fixed important target IP range parsing bug found by Jean-Yves
   Simon ( lethalwp@linuxbe.org ).

-- Applied patch by albert chin (china at thewrittenword.com) which
   adds --with-libpcap[=DIR] option to configure and and adds an
   elegant approach for -lnsl and -lsocket checking to configure .

-- Fixed a bug which could cause Nmap to mark a port filtered based on ICMP
   dest. unreachable packets relating to a different host than the one
   being scanned.

-- Fixed output problem relating to ident scan noted by Peter
   Marschall ( peter.marschall at mayn.de )

-- Applied patch to services.c by Andrew Brown (atatat@atatdot.net)
   which prevents some useless debugging (-d) output when reading some
   kindss of /etc/services files.

-- Added "Host: [machinename] (ip) Status: Down" to machine logs when
   the verbose option is given (just like down hosts are reported to
   stdout when verbose is given).  Suggested by Alek Komarnitsky.

-- Applied NetBSD compatability patch provided by Mipam (reinoud at
   ibbnet.org) which changes an autoconf macro to check for
   getopt_long_only instead of getopt_long.

-- Nmap used to print an inaccuracy warning when no open TCP ports
   were found on the target machine.  Due to a bug, this was not
   always being printed.  Problem found by Matt (matt at use.net) and
   Ajay Gupta2 (Ajay.Gupta2 at ey.com).

-- Added the number of ports in the ignored state right after the
state name in machine parseable logs.  It used to looke like:
 "Ignored State: closed" whereas now it looks like:
 "Ignored State: closed (1508)" Meaning that 1508 ports were closed
 and thus are not specifically enumerated.

-- Changed all nmapfe calls to gdk_font_load into gdk_fontset_load .
   Bennett Feitell (bfeitell at panix.com) suggested that this fixed
   some nmapfe font problems.

** Version 2.3BETA20

-- Applied patch sent in by s.rapp@hrz.uni-dortmund.de which fixes a
   memory alignment bug in osscan.c which could cause core dumps on
   machines which require aligned access (like SPARC).

-- Fixed a compilation problem on machines that do not have MAP_FAILED
   defined (as a return value to mmap).  Problem noted by Phil
   Stracchino <alaric@babcom.com>.

** Version 2.3BETA19

-- Tweaked the output so that it now tells how many ports are not
   shown and what state the ignored ports are in.  This info could be
   inferred before by people who had studied the manpage, but now the
   info is explicitly available.  I cleaned up a bunch of stuff
   internally to make this happen.  I hope I didn't break anything!

-- Changed NmapFE so that it always kills any running Nmap process
   when you press exit. Problem noted by Marc Renner
   (mrenner (at) ci.marysville.wa.us)

-- Apparently some Linux (glibc) systems now come with a "strcasestr"
   function.  So I have made autoconf look for this and use the native
   version if supported. (problem noted by Sami Farin
   (sfarin (at) ratol.fi)).

-- Added a new attribute "Ignored State: xxx" to the machine parseable
   logs, where xxx is the state (closed, filtered, or UNfiltered) that
   is being ignored.  Ports in that state are not listed (they weren't
   listed in earlier versions either).  Perhaps I should list ALL
   ports for machine parseable output.  Opinions?

-- Merged in a patch sent in by Mipam (reinoud (at) ibbnet.org) which is
   apparently part of the OpenBSD Nmap "port".  Although Nmap seems to
   work fine for me on my OpenBSD 2.4 box, a couple OpenBSD users have
   complained of problems.  Hopefully this will help. (it adds
   DLT_LOOP and DLT_ENC offset cases when reading from libpcap).

-- A few really minor bugfixes.

** Version 2.3BETA18

-- Fixed a very important bug that occurred when SYN scanning
   localhost.  Many thanks to Dries Schellekens (
   gwyllion (at) ace.ulyssis.student.kuleuven.ac.be ) for first reporting
   the problem.

-- Uros Prestor from TurboLinux informed us that the latest
   versions of Nmap work with Linux on the upcoming Intel
   Merced/Itanium IA-64 processors.  He also said that the TurboLinux
   distribution includes Nmap.  Kudos to them!  As well as the other
   distros that support Nmap (Debian, Red Hat, Suse, Trinux) and of
   course FreeBSD, NetBSD, & OpenBSD.  Does anyone know if Nmap ships
   with the latest from Mandrake or Corel?  The latest Solaris
   includes some Free software.  If anyone can get them to ship Nmap,
   I will buy you a case of beer :).

-- Added a #define to change vsnprintf to vsprintf on machines which
   do not support the former (mostly Solaris 2.5.1 and earlier).  This
   function is less safe.  For people who care about security, we
   recommend an upgrade to Solaris 8 (or Linux/*BSD).

-- Changed the NmapFE version to 0.<nmap_version> rather than always
   leaving it at 0.9.5 (which was confusing).  Thanks to J.D.K. Chipps
   (jdkc (at) woptura.com) for noticing this.

-- Added support for "-vv" (means the same as "-v -v").  Older
   versions of Nmap supported it (noted by George Kurtz).

** Version 2.3BETA17


-- Added ACK scanning.  This scan technique (which van Houser and
   others have been bugging me to add for years :), is great for
   testing firewall rulesets.  It can NOT find open ports, but it can
   distinguish between filtered/unfilterd by sending an ACK packet to
   each port and waiting for a RST to come back.  Filtered ports will
   not send back a RST (or will send ICMP unreachables).  This scan
   type is activated with -sA .

-- Documented the Window scan (-sW) which Lamont Granquist added in
   September 99.

-- Added a whole bunch of OS fingerprints that people have submitted.

-- "Protocol" field in output eliminated.  It is now printed right
   next to the number (/etc/services style).  Like "22/tcp".  I wonder
   what I should put in the extra white space this leaves on the
   report :).

-- Added --resume option to continue a large network scan where you
   left off.  This is useful for recovering from errors (modem drops
   carrier, network outage, etc).  It also allows you to start and
   stop for policy reasons (like if a client only wants you to scan on
   weekends or at night) or if you want to run the scan on a different
   host.  Usage is 'nmap --resume logfile' where logfile can be either
   normal (-oN) or machine parseable (-oM) logfile from the scan that
   was aborted.  No other options can be given (the options in the
   logfile from the original scan will be used).  Nmap will start off
   with the host after the last one successfully scanned in the log
   file.

-- Added --append_output option which causes -oN/-oM/-oS to APPEND to
   the output file you specify rather than overwriting it.

-- Various internal code cleanup, makefile fixes, etc.

-- Changed version number from 2.3BETA* to 2.30BETA* to appease
   various packaging systems that thought 2.3BETA was < 2.12 .

-- Nmap output to files now correctly flushes output after scanning
   for each host is finished.

-- Fixed compiler -L flags error found by Ralf Hildebrandt
   <R.Hildebrandt (at) tu-bs.de>

-- Fixed configure scripts so that options you give to the Nmap
   configure (like --prefix ) are also passed to the nmapfe configure
   script.  This problem was noted by Ralf Hildebrandt
   <R.Hildebrandt (at) tu-bs.de>.  While I was at it, I added some other
   cleanups to the system.

-- Added --noninteractive option for when nmap is called from scripts
   (where stuff like prompting users for info is unacceptable).  It
   does not currently do anything (Nmap never prompts) and script
   writers should probably wait until at least May '2000 so their
   scripts still work with earlier versions of Nmap.

-- Updated to the latest config.guess and config.sub from Autoconf 2.13

-- Applied patch by Sven <s.carstens (at) gmx.de> which fixes a segmentation
   fault problem in Nmapfe colored mode as well as some output niceties.

-- Changed some C++ comments to C-style for portability (noticed by 
   "Sergei V. Rousakov" <sergei (at) cas.Vanderbilt.Edu> )

** Version 2.3BETA14

-- Peter Kosinar <goober (at) gjh.sk> performed some cleanup of the output
   routines and as a bonus he added skript kiddie output mode!!!  Try
   it out by adding "-oS - " to your nmap command line.  Note that
   using '-' to represent stdout instead of a filename is something
   you can do with any of the output modes.

-- Ensured that Nmap always gives up on ident scan after the first
   port attempt finds it to be closed (problem noticed by Matt
   <matt (at) use.net>)

-- Changed strsep's in nmapfe to more portable strtok's (should
   especially help Nmapfe compiles on Solaris)

-- Changed permutation algorithm to make port order and host order
   shuffling more random.

-- Various minor changes and internal code cleanup.

-- Fixed integer overflow that was limiting the max --host_timeout value 
   to about 2,000,000 milliseconds (~1/2 hour).  The limit is now
   about 4,000,000,000 milliseconds (~1 month).  I really hope you don't 
   need more than that :).

** Version 2.3BETA13
-- I made Nmap smarter about detecting filtering during UDP, Xmas,
   NULL, and FIN scans.

-- Updated Nmapfe to 0.9.5 (+ a patch from NmapFE author Zach Smith)

-- Fixed a problem where NmapFE would fail to honor $PATH (Noticed 
   by K. Scott Rowe <kscott (at) nmt.edu>)

-- Added a couple ICMP unreachable messages Nmap was missing (found by
   Bifrost <bifrost (at) minions.com>).

-- Internal cleanup that improves the way some port lists are stored.

-- Added some more RPC numbers from <mmmorris (at) netscape.net>

-- Relaxed the dependency requirements of nmapfe rpm (now will accept
   any version of Nmap).

** Version 2.3BETA12
-- Added interactive mode which adds convenience for managing nmap
   sessions and also enhances privacy.  Get to it with --interactive
   and then type 'h' for help.

-- Added/modified many fingerprints including the latest 2.3.X Linux
   releases, the latest Win2000 builds, the Apple Airport Wireless
   device, and several dozen more.

-- Migrated to RPM .spec file sent in by Tim Powers
   <timp (at) redhat.com>.  That is the file they will be using to package
   Nmap with the power tools CD in the next Redhat release.  The most
   important changes are that Nmap (only the RPM version) now installs
   in /usr/* instead of /usr/local/* and the frontend is now
   dynamically linked with GTK and comes in a separate rpm.

-- The -i (input from list) option has been deprecated.  From now on
   you should use -iL <filename> to read from a list or -iR to have
   Nmap generate random IPs to scan.  This -iR option is new.

-- The -o and -m options have been deprecated.  From now on, you
   should use -oN for normal (human readable) output and -oM for
   machine parseable output.  At some point I might add -oH (HTML
   output) or -oSK (sKr|pt |<iDdi3 0uTPut).

-- Added --randomize_hosts option, which causes hosts be be scanned in
   non-sequential order.  This makes scans less conspicuous.  For
   efficiency reasons, the hosts are chopped into groups of 2048 and
   then each group is internally shuffled (the groups still go in
   order).

-- Rearranged the help ('nmap -h' or 'nmap' or 'nmap --help') screen
   to be shorter (37 -> 23 lines!) and include some of the new
   features of this release.  The man page was updated as well.

-- Fixed longstanding bug where nmap -sS mylocalnetwork/24 would not
   successfully scan the host running nmap.

-- Internal improvements to make scanning faster with -i (input list)
   or when you specify multiple machines on the command line.

-- Uses faster GCD algorithm and fixed several typos (sent in by Peter
   Kosinar).

-- Provide more information in machine/human readable output files
   (start time, end time, RPC program name, Nmap version number)

-- Killed the -A option (if you don't know what that is then you won't
   miss it.  In fact, even if you do know what it is you won't miss
   it.)

** Version 2.3BETA10

-- Added about 70 new OS fingerprints so that Nmap can detect more
   systems.  The most important new fingerprints are probably:
   * The new SP5+ NT boxes -- After all these years MS FINALLY made
     sequence prediction harder (on NT anyway).
   * Solaris 8 Pre-Release
   * Sega Dreamcast (Hack that!)
   * Latest Windows 2000 builds
   * OpenBSD 2.6

** Version 2.3BETA9

-- Applied patch by Mark Abene (Phiber Optik) to fix several type
   length issues so that it works on Linux/Alpha.

-- Applied patch by Matthieu Verbert <mve (at) zurich.ibm.com> to speed up OSScan

** Version 2.3Beta8
-- Added "firewall mode" timing optimizations which can decrease the
   ammount of time neccessary to SYN or connect scan some heavily
   filtered hosts.

-- Added min_rtt_timeout timing option (see man page for details)

-- Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS
   called Snort was using this to detect Nmap TCP Pings).

-- Some changes for better Alpha/Linux support based on investigation
   by Bill Beers <wbeers (at) carolina.rr.com>

-- Applied changes for FDDI support by Tobias J. Nijweide <tobias (at) mesa.nl

-- Applied a socket binding patch from LaMont Jones <lamont (at) security.hp.com>
   which can be useful when using -S to specify one of multiple interfaces
   on a machine.

-- Made OS detection smart enough to first check scan results for a known
   closed port instead of immediately resorting to a random one.  This
   improves OS detection against some machines behind packet
   filters. (suggested by van Hauser) 

-- Applied a shortcut suggestion by Thomas Reinke which can lead to
   a tremendous speedup against some firewalled hosts.

-- Added some ports commonly used for RPC to nmap-services

-- Fixed a problem with the timing of an RPC scan (could come before
   the UDP scans they rely on)

-- Added a number of new ports to nmap-services

** Version 2.3Beta6 **

-- Added sophisticated timing controls to give the user much more
   control over Nmap's speed.  This allows you to make Nmap much more
   aggressive to scan hosts faster, or you can make Nmap more "polite"
   -- slower but less likely to wreak havoc on your Network.  You can
   even enforce large delays between sending packets to sneak under
   IDS thresholds and prevent detection.  See the new "Timing Options"
   section of the Nmap man page for more information on using this.

-- Applied Lamont Granquist's <lamontg (at) u.washington.edu> Window
   scan patch (I changed the name from ACK scan to Window scan since I
   may add another scan that uses ACK packets and I don't want them to
   be confused).  -sW activates this scan type.  It is mostly
   effective against BSD, AIX, Digital UNIX, and various older HP/UX,
   SunOS, and VAX. (See nmap-hackers mailing list archives for an
   extensive list).

-- Added various long options people expect to see like --version , 
   --help , --usage , etc.  Some of the new timing options are also
   long.  I had to add getopt_long C files since most non-Linux boxes
   don't support getopt_long in libc.

-- Human readable (-o) output changed to include the time/date of the
   scan.  Suggested by van Hauser.

** Version 2.3-Beta5 ***

-- Changed RPC output based on suggestions by David O'Brien
   <obrien (at) NUXI.com> and Lance Spitzner <lance (at) spitzner.net>.  I got
   rid of the "(Non-RPC)" unnecessary clutter which appeared after
   each non RPC port and the "(untested)" that appeard after each
   "filtered" port.

-- Added a ton of new OS fingerprints people submitted.  I had about
   400 in my inbox.  Of course, almost 100 of them were submissions for
   www.windows2000test.com :).

-- Changed the machine parseable output of RPC information to include
   the version information.  If we figured out the RPC info, it is now
   provided as "program-num*lowversion-highversion".  If we didn't get
   the number, but we think the port is RPC, the field simply contains
   "R".  If we believe the port is NOT RPC, then the field contains
   "N".  If the field is empty, we did not RPC scan the port.  Thanks
   to H D Moore <nlog (at) ings.com> for making me aware how much the
   earlier machine parseable RPC logging sucked :).

*** Version 2.3-Beta4 ***

-- Added direct (non-portmapper) RPC scanning to determine what RPC
   program is listening on a particular port.  This works for UDP and
   TCP ports and is currently implemented using sockets (which means
   you can't use decoys, but on the other hand you don't have to be
   root).  Thanks go to ga <ga (at) capyork.com> for writing sample code to
   demonstrate the technique.  The RPC services list included with
   nmap was compiled by Vik Bajaj <vbajaj (at) sas.upenn.edu> with help
   from various members of the nmap-hackers list.

-- Fixed a problem that could cause freezes when you
   scan machines on at least two different types of interfaces as part
   of the same command.

-- Identified and found workaround for Linux kernel bug which allows
   connect() to sometimes succeed inapropriately when scanning closed
   ports on localhost.

-- Fixed problems relating to people who specify the same port more
   than once on the command line.  While the right answer is "well,
   don't do that!", I decided to fix nmap to handle this gracefully.

-- Tweaked UDP scanning to be more effective against Solaris ICMP
   error limiting.

-- Fixed strtol() integer overflow problem found by Renaud 
   Deraison <deraison (at) cvs.nessus.org>

-- The HTML translation of the Man page at
   http://www.insecure.org/nmap/nmap_manpage.html should now be
   complete (man2html was dropping lines before).

-- Added a note in the man page that Nmap 2.0+ is believed to be
   COMPLETELY Y2K COMPLIANT!  I've been getting a lot of letters from
   laywers about that recently.  You should still be able to port scan on
   Jan 1st (well ... as long as you have electricity and gangs of looting
   thugs haven't stolen your computers :)

*** Version 2.2-Beta4 ***
-- Integrated nmapfe code from Zach Smith to allow
   the nmapfe output window to resize when you resize the nmapfe window.

-- Integrated patch sent in by Stefan Erben <stefan (at) erben.com> which
   allows nmap to recognize and ignore null interfaces.  If you were
   getting a bogus error like "eth0 not found in /proc/net/route" then
   this should solve your problem.

-- Applied patch from Alexander Savelyev <fano (at) ham.kiev.ua> which
   gives nmap the parameters necessary to support SLIP and PPP on BSDI
   systems.

-- Upgraded to a new version of shtool (1.2.3)

*** Version 2.2-Beta3 ***

-- Adopted Ralf S. Engelschall's excellent shtool script
   for simplifying the nmap makefile and making it more portable
-- Various other minor changes to nmapfe.

*** Version 2.2-Beta2 ***

-- Cleaned up build environment more, fixed up RPM and Makefile.in,
   eliminated the automake stuff.
-- Added nmapfe feature to show nmap command as you change options
-- Changed nmapfe to use a global MyWidgets struct rather than
   tons of global vars all over the place.
-- Made nmapfe much smarter about rejecting stupid option attempts.
   It now tries to correct things when you specify illegal options.
-- GTK+ 1.0 compatibility fixes
-- Integrated nmapfe changes from Zach

*** Version 2.2-BETA1 Changes ***

-- Integrated in nmapfe -- a cool front end wrottem by Zach Smith <matrxweb (at) hotmail.com>


*** Version 2.12 Changes ***

-- Changed the way tcp connect() scan determines the results of a
   connect() call.  Hopefully this will make nmap a little more
   portable.

-- Got rid of the security warning message for people who are missing
   /dev/random and /dev/urandom due to complaints about the warning.
   This only silences the warnings -- it still uses relatively weak
   random number generation under Solaris and other systems that lack
   this functionality.

-- Eliminated pow() calls on Linux boxes.  I think some sort of glibc
   bug was causing nmap to sigsegv in some cases inside of pow().
   Most people weren't affected, but those who were would almost
   always SIGSEGV with -O.

-- Fixed an rpm problem noted by Mark Smith <marks (at) senet.com.au>

*** Version 2.11 Changes ***

-- Many new fingerprints added.  I received more than 300 submissions
   between this release and the last one.

-- Fixed IRIX problems which prevented OS scanning from working on
   that platform.  The problem was researched and solution found by
   Lamont Granquist <lamontg (at) u.washington.edu>.  You can also thank
   him for porting nmap to almost every UNIX around.

-- Added support for '-m -' to redirect machine readable logs to
   stdout for shell pipelining, etc.  I also changed machine readable
   output to show service names now that we use a nmap specific
   services file rather than /etc/services.  These features were
   suggested by Dan Farmer.  You can also thank him for SATAN (the
   auditing tool).

-- Fixed a link-list bug that could cause hangs in UDP,FIN,NULL, and
   XMAS scans.  Also fixed a ptr problem that could cause SIGSEGV.
   These problem were discovered and tracked down by Ben Laurie
   <ben (at) algroup.co.uk>.  You can also thank him for Apache, OpenSSL,
   and Apache-SSL.

-- Fixed installation problem for people without a /usr/local/man/man1
   directory.  Found by Jeffrey Robertson <a-jeffro (at) microsoft.com>.
   I guess you can thank him for Win98 ;).

-- Several other little fixes to the installation script and minor
   scanner tweaks.

*** Version 2.10 Changes ***

-- Private test release 

*** Version 2.09 Changes ***

-- Private test release 

*** Version 2.08 Changes ***

-- Bugfix for problem that can cause nmap to appear to "freeze up" for long
   periods of time when run on some busy networks. (found by Lamont Granquist)

*** Version 2.07 Changes ***

-- Fixed a lockup on Solaris (and perhaps other proprietary UNIX
   systems) caused by a lack of /dev/random & /dev/urandom and a
   rand() that only returns values up to 65535.  Users of Free
   operating systems like Linux, FreeBSD, or OpenBSD probably
   shouldn't bother upgrading.

***Version 2.06 Changes***

-- Fixed compile problems on machines which lack snprintf() (found by Ken
   Williams <jkwilli2 (at) unity.ncsu.edu>)
-- Added the squid proxy to nmap-services (suggested by Holger Heimann)
-- Fixed a problem where the new memory allocation system was handing out
   misaligned pointers.
-- Fixed another memory allocation bug which probably doesn't cause any
   real-life problems.
-- Made nmap look in more places for nmap-os-fingerprints

***Version 2.05 Changes***

-- Tons of new fingerprints.  The number has grown by more than 25%.
  In particular, Charles M. Hannum <root (at) ihack.net> fixed several
  problems with NetBSD that made it easy to fingerprint and he sent me
  a huge new batch of fingerprints for various NetBSD releases down to
  1.2.  Other people sent NetBSD fingerprints down to 1.0.  I finally
  got some early Linux fingerprints in (down to 1.09).

-- Nmap now comes with its own nmap-services which I created by
   merging the /etc/services from a bunch of OS' and then adding
   Netbus, Back Orifice, etc.

-- Random number generation now takes advantage of the /dev/urandom or
   /dev/random that most Free operating systems offer.

-- Increased the maximum number of OS guesses nmap will make, told
   nmap never to give you two matches where the OS names are
   byte-to-byte equivalent.  Fixed nmap to differentiate between "no
   OS matches found" and "too many OS matches to list".

-- Fixed an information leak in the packet TTL values (found by 
   HD Moore <hdmoore (at) usa.net>)

-- Fixed the problem noted by Savva Uspensky about offsets used for
   various operating systems' PPP/SLIP headers.  Due to lack of
   responses regarding other operating systems, I have made
   assumptions about what works for BSDI, NetBSD, and SOLARIS.  If
   this version no longer works on your modem, please let me know (and
   tell me whether you are using SLIP/PPP and what OS you are
   running).

-- Machine parseable logs are now more machine parseable (I now use a
   tab to seperate test result fields rather than the more ambiguous
   spaces.  This may break a few things which rely on the old format.
   Sorry.  They should be easy to fix.

-- Added my nmap-fingerprintinting-article.txt to the distribution in
   the docs directory.

-- Fixed problem where nmap -sS <my_ethernet_or_ppp_ip_address> would
   not correctly scan localhost (due to the kernel rerouting the
   traffic through localhost).  Nmap should now detect and work around
   this behavior.

-- Applied patch sent to my by Bill Fenner <fenner (at) parc.xerox.com>
   which fixes various SunOS compatibility problems.

-- Changed the makefile 'all' target to use install-sh rather than 
   mkdir -p (doesn't work on some systems)

-- Documentation updated and clarified slightly.

-- Added this CHANGELOG file to the distribution.