odd behavior in udp scans

[jfrancis () kcp com]

Hi,

Like lots of other people, we use nmap inside some scripts to automatically
generate some reports as to what is listening on our network at any given
time.  We've recently updated our nmap from version 3.00 to version 3.50
and and in the process we now have some strange behavior.

On a few systems running Sun Solaris 5.7 (as reported by the admin), an
"nmap -sSU -O -n $target" now shows open tcp and udp ports identified as
accepted, however any udp ports that we can report as filtered when in
reality they should be closed.  Other Solaris systems that are (in theory)
identically configured still scan as expected (i.e., without the extra udp
ports marked as filtered).

I've isolated this issue to a change that occured between nmap-3.10ALPHA4
and nmap-3.10ALPHA5 by compiling and testing various versions until I found
where the behavior changed.  I'm stumped as to the source of the problem,
although in the changelog fyodor identifies that he bumped the libpcap
libraries he includes from 0.6.2 to 0.7.1 so I'm wondering if this is
somehow the source of the behavior change.

Any thoughts from anyone out there as to the source of this before I pull
my hair out going through ~10,000 lines of diffs trying to find what's
going on?

Many thanks for any help,

Joe Francis
Cyber Security
x5872


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org