Nmap - Under the hood

[skill2die4 () secguru com]

I am in a process of jotting down the various options available with NMAP
while doing port scanning, collecting ethereal packets for various
scans_types and also doing discussing on which scan works best under what
circumstances.

Results at :  http://www.secguru.com/forum/viewtopic.php?t=68

However, when i started fiddling with the -sF, -sX and -sN .. i found that
most of the machines being scanned are responding back as "open" to
everything. I tried these scan options against M$oft, Fedora and Solaris ;
but it reported all ports 'open' which i know aint true.

The Nmap manpage states, "There are times when even  SYN  scanning isn't
clandestine enough. Some firewalls and packet filters watch for SYNs to
restricted ports, and programs like Synlogger and Courtney are available
to detect these scans. These advanced scans, on the other hand, may  be 
able  to  pass through unmolested."

I got the idea about the scan , but dont have any live example. If you
know any OS.(+version) that DOES reply back with RST please let me know !


TIA,


-=skillz=-