Nmap output

[maash.rajani () gmail com]

I scanned a host with nmap using two set of parameters.

1) nmap -P0 -f -O 192.168.100.44

Warning:  OS detection for 192.168.100.44 will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP port
All 1690 scanned ports on host233-226.xxxx.xxx.xx (192.168.100.44) are filt
ered
Device type: specialized|switch|WAP|printer|general purpose
Running: Cisco IOS 12.X, D-Link embedded, Ember embedded, IBM embedded, Lexmark
embedded, Minix
OS details: Cisco DOCSIS cable modem termination server running IOS 12.1, Cisco
Catalyst 6509 running IOS 12.1, D-Link DI-824VUP Wireless VPN Router, Ember InSi
ght Adapter for programming EM2XX-family embedded devices, IBM 6400 Printer (sof
tware version 7.0.9.6), Lexmark T632 Network Laser Printer, Minix 3.1.2a





While in the second set of parameter i did not fragment the packets.

2) nmap -P0 -O 192.168.100.44

Warning:  OS detection for 192.168.100.44 will be MUCH less reliable because we
did not find at least 1 open and 1 closed TCP port
Warning:  OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
Interesting ports on host233-226.xxx.xxx.xx (192.168.100.44):
Not shown: 1689 filtered ports
PORT    STATE SERVICE
443/tcp open  https
Device type: general purpose
Running: IBM AIX 4.X, Microsoft Windows 2003/.NET|NT/2K/XP
OS details: IBM AIX 4.3.2.0-4.3.3.0 on an IBM RS/*, Microsoft Windows 2003 Serve
r or XP SP2
Uptime: 3.360 days (since Sun Nov 16 13:22:23 2008)




My question is without fragmenting the packets how was nmap able to determine an open port.
And what different did fragmentation make in OS detection.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------