Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Exploit World
Advertising
About/Contact
Credits
Sponsors:


Rational AppScan


Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Nmap Changelog
# Nmap Changelog ($Id: CHANGELOG 7301 2008-05-03 08:22:18Z fyodor $); -*-text-*-

Nmap 4.62 [5/3/08]

o Added a new --min-rate option that allows specifying a minimum rate
  at which to send packets. This allows you to override Nmap's
  congestion control algorithms and request that Nmap try to keep at
  least the rate you specify.  The rate is given in packets per
  second. Read more in the Nmap man page
  (http://nmap.org/book/man-performance.html) [David]

o Create /nmap/macosx directory in SVN with files necessary to build
  binary Mac OS X Nmap/Zenmap packages.  We are trying to create
  binary installer packages which are as useful and easy to use as the
  Windows installer.  This has involved a lot of work by David.  We
  aren't quite yet distributing the results on the Nmap download page,
  but testing our beta versions is useful.  You can find the latest
  universal (PPC and Intel) binary test version by looking at David
  Fifield's posts at http://seclists.org/nmap-dev/2008/q2/author.html .
  You can also read /nmap/macosx/README in svn for more info.

o Nmap 2008 Summer of Code students have began working (though full
  time doesn't start until late May).  Learn about the winners and their
  projects at http://seclists.org/nmap-dev/2008/q2/0132.html .

o Brandon added/modified a whole bunch of version detection signatures
  based on systems discovered when scanning UCSD's network.

o Reformat Nmap COPYING file (e.g. remove C comment markers, reduce
  line length) during Nmap windows build so that it looks much better
  when presented by the Windows executable (NSIS) installer.  Thanks
  to Jah for the patch, which was modified slightly by Fyodor.

o Added NSE Datafiles library which reads and parses Nmap's nmap-*
  data files for scripts.  The functions (parse_protocols(),
  parse_rpc() and parse_services()) return tables with numbers
  (e.g. port numbers) indexing names (e.g. service names).  The
  rpcinfo.nse script was also updated to use this library. [Kris]

o Fixed a bug in the nbase random number generator (and the way it
  interacted with Nmap and MS Windows) which caused duplicates in some
  instances.  Thanks to Jah for reporting the problem and working with
  Brandon Enright, Fyodor and Kris to fix it.

o It turns out that hours have 60 minutes, not 24.  Fixed a scan
  status message which was rolling over the hours column
  prematurely. [David]

o Added scripting options to Zenmap profile editor and command wizard
  to make use of NSE. [David]

o Zenmap now prints an exception message rather than segfaulting when it
  can't open a display (such as when trying to connect to an X server as
  an unauthorized user). Thanks to Aaron Leininger for the initial
  report and Guilherme Polo for suggesting the fix.

o Now ports in the "unfiltered" state can be selected for attention by
  NSE scripts. [Kris]

o Nbase random number generation system now avoids having a high-bit
  of zero in every other byte on Windows due to Windows having such a
  low RAND_MAX. [Jah]

o Added release dates for each Nmap version to this CHANGELOG going
  back to Nmap 3.00 (July 31, 2002).  Dates are in MM/DD/YY format.
  If someone wants to track down dates for the last 22% of the file
  (pre-3.00), you are welcome to do so and send a patch.  Searching
  Google for the version number and site:seclists.org seems to work
  well. [Fyodor]

o Nmap RPM builds now use the versions of libdnet, libpcap, libpcre,
  and liblua rather than whatever happens to be installed on the build
  system. [David]

o Zenmap can now be installed in and run in directories with a space
  in the name. [David]

o Fixed an assertion failure ("Target.cc:396: void
  Target::stopTimeOutClock(const timeval*): Assertion
  'htn.toclock_running == true' failed.")caused when a host had NSE
  scripts in multiple runlevels.  This also fixes --host-timeout
  behavior in NSE. [Kris]

o Reduce the maximum number of socket descriptors which Nmap is
  allowed to open concurrently.  This resoles a bug which could cause
  "Too many open files" error on Mac OS X when not running as
  root. [David]

o Canonicalized service names between nmap-service-probes (version
  detection DB) and nmap-services (port scanning DB). [Kris]

o Removed the "class" attribute from the tcpsequence element in XML
  output. For a long time it had always been "unknown class" because
  Nmap doesn't calculate a class anymore. The XML output version has
  been increased from 1.01 to 1.02. [David]

o Fixed a bug on Win32 which caused an infinite loop when Nmap
  encountered certain broadcast addresses. [Dudi Itzhakov]

o Fix MingW compilation by adding a signal.h include to
  main.cc. [Gisle Vanem]

o Fix the test in our build system to determine if liblua is already
  available or not. For example, the test needed to link with -lm
  since some systems require that.  [David].

o Added TIMEVAL_BEFORE and TIMEVAL_AFTER macros to test whether one
  timeval is earlier than another while avoiding possible integer
  overflows in a naive approach we were using previously. [David]

o Adjusted a bunch of code to avoid compilation warning messages on
  some Linux machines. [Andrew J. Bennieston]

o Fixed the NmapArpCache so that it actually works. Previously, Nmap
  was always falling back to the system ARP cache. Of course this
  raises the question of whether NmapArpCache is needed in the first
  place. [Daniel Roethlisberger]

o Fix a Zenmap bug which could cause the error message
  "zenmapCore.NmapOptions.OptionNotFound: No option named '' found!"
  if you create a new profile without checking any options then try to
  edit it. [David]

o Zenmap now shows a more helpful error message when there is an error
  in executing Nmap. [David]

o Zenmap now creates the directory ~/.zenmap-etc to store
  automatically generated GTK+ and Pango files. They used to go in the
  application bundle but that doesn't work on a read-only filesystem or
  disk image. This is what Wireshark does (~/.wireshark-etc), although
  the directory could be called anything. It doesn't have to persist
  across sessions.

o Added a mechanism in Zenmap for including extra executable search
  paths on specific platforms, so we can include /usr/local/bin in
  PATH on Mac OS X by default and add the Nmap install directory on
  Windows. [David]

o We now use --no-strip when building Zenmap Mac OS X packages to
  prevent many mysterious warnings which occur when the binary is
  stripped. [David]

o When Zenmap invokes Nmap, it now copies the whole environment for
  the Nmap invocation rather than just providing $PATH.  Windows may
  need this to do proper name resolution. [David]

o Corrected uptime parsing and reporting in SNMPsysdesr.nse for an
  uptime of less than 46 hours. [Kris]

o Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap build
  system to work better when building Mac OS X universal
  binaries. [David]

o Added many additional PCRE option flags to the list returned by the
  NSE pcre.flags() function. [Kris]

o Changed the NSE function nmap.set_port_state() so that it checks to
  see if the requested port is already in the requested state.  This
  prevents "Duplicate port" messages during the script scan and the
  inaccurate "script-set" state reason. [Kris]

o Canonicalize NSE script license text--more than half did not even
  spell license correctly. They all still say that they are under Nmap's
  license, just with consistent capitalization and spelling, and now a
  link to Nmap legal page at http://nmap.org/man/man-legal.html.

o Updated ripeQuery.nse to not print extraneous whitespace. [Kris]

o Switched telnet brute force password cracking NSE (bruteTelnet.nse)
  to vulnerability category so it isn't executed by default.  It can
  take too long to run. [Eddie]

o NSE status messages now print host name and IP, rather than just the
  host name (which was blank when Nmap didn't know it). [Jah]

o Allocate 128 characters for the idle scan ScanProgressMeter title. Previously
  it was 32 characters. The "idle scan against " and the \0 terminator take up 19
  characters, leaving only 13, which isn't enough to represent all IP addresses,
  let alone host names. Bug reported by Stephan Fijneman, fixed by David.

Nmap 4.60 [3/15/08]

o Nmap has moved.  Everything at http://insecure.org/nmap/ can now be
  found at http://nmap.org .  That should save your fingers from a
  little bit of typing.  Even though transparent redirectors are in
  place for the old URLs, please update your links and bookmarks. And
  if you don't have a link to Nmap on your web site, now is a good
  time to add one :).

o All of your OS detection fingerprints up until March 10, 2008 have
  now been integrated by David.  The second generation database has
  grown from 1,085 fingerprints representing 421 operating
  systems/devices, to 1,304 fingerprints representing 478 systems.
  That is an increase of more than 20%.  New fingerprints were added
  for Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0,
  Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of course
  hundreds of broadband routers, VoIP phones, printers, some crazy
  oscilloscope, etc.  We get a ton of new fingerprint submissions, but
  not as many corrections.  Please remember to visit
  http://nmap.org/submit/ if Nmap gives you bad results, whether they
  are completely wrong or just a slight mistake (like Nmap says Linux
  2.6.20-2.6.23, but you're running 2.6.24).  Of course you need to be
  certain you know exactly what is running on the target before you do
  this.

o All of your service fingerprints and corrections submitted until
  January 14, 2008 have now been integrated by Doug.  As usual, he has
  documented his adventures at http://hcsw.org/blog.pl/33 .  More than
  a hundred signatures were added, growing the database to 4,645
  signatures for 457 services.  Corrections are welcome for service
  detection too -- visit http://nmap.org/submit/ if you get incorrect results.

o Nmap now saves the target name (if any) specified on the command
  line, since this can differ from the reverse DNS results.  It can be
  particularly important when doing HTTP tests against virtual hosts.
  The data can be accessed from target->TargetName() from Nmap proper
  and host.targetname from NSE scripts.  The NSE HTTP library now uses
  this for the Host header.  Thanks to Sven Klemm for adding this
  useful feature.

o Added NSE HTTP library which allows scripts to easily fetch URLs
  with http.get_url() or create more complex requests with
  http.request().  There is also an http.get() function which takes
  components (hostname, port, and path) rather than a URL.  The
  HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
  use this library. Sven Klemm wrote all of this code.

o Fixed an integer overflow in the DNS caching code that caused nmap
  to loop infinitely once it had expunging the cache of older
  entries.  Thanks to David Moore for the report, and Eddie Bell for
  the fix.

o Fixed another integer overflow in the DNS caching code which caused
  infinite loops. [David]

o Added IPv6 host support to the RPC scan.  Attempting this before
  (via -sV) caused a segmentation fault.  Thanks to Will Cladek for
  the report. [Kris]

o Fixed an event handling bug in NSE that could cause execution of
  some in-progress scripts to be excessively delayed. [Marek]

o A new NSE table library (tab.lua) allows scripts to deliver better
  formatted output.  The Zone transfer script (zoneTrans.nse) has been
  updated to use this new facility. [Eddie]

o Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and to
  do some much-needed cleaning up. [Kris]

o Added a new MsSQL version detection probe and a bunch of match lines
  developed by Tom Sellers.

o Added a new service detection probe and signatures for the memcached
  service [Doug]

o Added new service detection probes and signatures for the Beast
  Trojan and Firebird RDBMS. [Brandon Enright]

o Fixed a crash in Zenmap which occurred when attempting to edit or
  create a new profile based on an existing one when there wasn't one
  selected.  The error message was:
    'NoneType' object has no attribute 'toolbar'
  Now a new Profile Editor is opened.  Thanks to D1N (d1n@inbox.com)
  for the report. [Kris]

o Fixed another crash in Zenmap which occurred when exiting the
  Profile Editor (while editing an existing profile) by clicking the
  "X", then going to edit the same profile again.  The error message
  was: "No option named '' found!".  Now the same window that appears
  when clicking Cancel comes up when clicking "X".  Thanks to David
  for reporting this bug. [Kris]

o Another Zenmap bug was fixed: ports consolidated into "extra ports"
  groups are now counted and shown in the "Host Details" tab.  The
  closed, filtered and scanned port counts in this tab didn't contain
  this information before so they were usually very inaccurate. [Kris]

o Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
  buttons ("amount of time between probes") under the Advanced tab in
  the Profile Editor were backwards. [Kris]

o Added the UDP Scan (-sU) and IPProto Ping (-PO) to Zenmap's Profile
  Editor and Command Wizard. [Kris]

o Reordered the UDP port selection for Traceroute: a closed port is
  now chosen before an open one.  This is because an open UDP port is
  usually due to running version detection (-sV), so a Traceroute
  probe wouldn't elicit a response. [Kris]

o Add Famtech Radmin remote control software probe and signatures to
  the Nmap version detection DB. [Tom Sellers, Fyodor]

o Add "Conection: Close" header to requests from HTTP NSE scripts so
  that they finish faster. [Sven Klemm]

o Update SSLv2-support NSE script to run against more services which
  are likely SSL. [Sven Klemm]

o A bunch of service name canonicalization was done in the Nmap
  version detection file by Brandon Enright (e.g. capitalizing D-Link
  and Netgear consistently).

o Upgraded the shipped LibPCRE from version 7.4 to 7.6. [Kris]

o Updated to latest (as of 3/15) autoconf config.sub/config.guess
  files from http://cvs.savannah.gnu.org/viewvc/config/?root=config .

o We now escape newlines, carriage returns, and tabs (\n\r\t) in XML
  output.  While those are allowed in XML attributes, they get
  normalized which can make formatting the output difficult for
  applications which parse Nmap XML. [Joao Medeiros, David, Fyodor]

o The Zenmap man page is now installed on Unix when "make install" is
  run.  This was supposed to work before, but didn't. [Kris]

o Fixed a man page bug related to our DocBook to Nroff translation
  software producing incorrect Nroff output.  The man page no longer
  uses the ".nse" string which was being confused with the Nroff
  no-space mode command. [Fyodor]

o Fixed a bug in which some NSE error messages were improperly escaped
  so that a message including "c:\nmap" would end up with a newline
  between "c:" and "map".

o Updated IANA assignment IP list for random IP (-iR)
  generation. [Kris]

o The DocBook XML source code to the Nmap Scripting Engine docs
  (http://nmap.org/nse/) is now in SVN under docs/scripting.xml .

4.53 [1/12/08]

o Impoved Windows executable installer by making uninstall work better
  on systems which changed the default install path.  The shortcut is
  also now deleted properly on Vista. [Rob Nicholls]

o Windows installer is now generated using NSIS 2.34 rather than
  2.13. [Fyodor]

o Added UPnP-info NSE script by Thomas Buchanan. It gathers
  information from the UPnP service (UDP port 1900) which listens on
  many network devices such as routers, printers, and networked media
  players.

o Fixed a --traceroute bug (assertion failure crash) which occured
  when the first hop of the first host in a tracegroup (reference
  trace) times out.  Thanks to Sebastián García for the bug report and
  testing, and Eddie for the patch.

o Fix a problem which prevented proper port number matching in
  NSE scripts (port_or_service function) due to a variable
  shadowing bug. [Sven Klemm]

o Improved rpcinfo.nse to better sort and display available RPC
  services. [Sven Klemm]

4.52 [1/1/08]

o Fixed Nmap Winpcap installer to use CurrentVersion registry key on
  Windows rather than VersionNumber to more reliably detect Vista
  machines.  This should prevent the XP version of Packet.dll from
  being installed on Vista. [Rob Nicholls]

o The Nmap Scripting Engine (NSE) now supports run-time interaction
  and the Nmap --host-timeout option. [Doug]

o Added nmap.fetchfile() function for scripts so they can easily find
  Nmap's nmap-* data files (such as the OS/version detection DBs, port
  number mapping, etc.) [Kris]

o Updated rpcinfo.nse to use nmap.fetchfile() to read from nmap-rpc
  instead of having a huge table of RPC numbers.  This reduced the
  script's size by nearly 75%. [Kris]

o Fixed multiple NSE scripts that weren't always properly closing their
  sockets.  The error message was:
  "bad argument #1 to 'close' (nsock expected, got no value)" [Kris]

o Added a new version detection probe for the Trend Micro OfficeScan
  product line. [Tom Sellers, Doug]

4.51BETA [12/21/07]

o We now have a detailed Zenmap Guide at http://nmap.org/zenmapguide/ .
  Thanks to David for writing it.

o Added rpcinfo.nse script, which contacts a listening RPC portmapper
  and reports the listening services and port information (like
  rpcinfo -p does).  The script was written by Sven Klemm.  Fyodor
  then enhanced the RPC number list with all of the entries from
  nmap-rpc.

o Added a new NSE script (MySQLinfo) which prints MySQL server information
  such as the protocol and version numbers, status, thread id, capabilities,
  and password salt. [Kris]

o Nmap's output options (-oA, -oX, etc.) now support strftime()-like
  conversions in the filename.  %H, %M, %S, %m, %d, %y, and %Y are
  all the same as in strftime().  %T is the same as %H%M%S, %R is the
  same as %H%M, and %D is the same as %m%d%y.  A % followed by any
  other character just yields that character (%% yields a %).  This
  means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of
  "scan-144840-121307.xml". [Kris]

o Fixed Winpcap installer to install the right version of Packet.dll
  on Windows Vista. [Fyodor]

o Fixed our Winpcap installer so that it waits for a Winpcap uninstall
  (if needed) to complete before trying to install the new Winpcap.
  [Jah]

o Fix a bunch of warning/error messages which contained an extra
  newline. [Brandon Enright]

o Fixed an error when attempting to scan localhost as an unprivileged
  user on Windows (nmap --unprivileged localhost). The error was:
   "Skipping SYN Stealth Scan against localhost (127.0.0.1) because
    Windows does not support scanning your own machine (localhost) this
    way."
  Now connect scan is used instead of SYN scan. [David]

o Fixed a bug that prevented the --resume option from working on
  Windows. The error message was:
  ..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103,
  mflags 000 00006: The parameter is incorrect.(87)
  [Fixed by David, reported by Rob Nicholls]

o Zenmap's new web page (http://nmap.org/zenmap/) is now shown in the
  Zenmap about dialogue.

o On Windows, paths beginning with \ are now considered absolute when
  used with the --script option. jah (jah(a)zadkiel.plus.com) suggested
  this. [David]

o Zenmap no longer double-spaces its output (by inadvertently
  duplicating newlines) when viewing scan results that were saved to a
  file. [Joao Medeiros]

o Upgraded the shipped LibPCRE from version 7.2 to 7.4. [Kris]

o Fixed Zenmap crash that occurred when selecting Help from the Compare
  Results window. [Kris]

o Updated robots.nse to prevent printing robots.txt comments. [Kris]

o Many version detection match lines were improved to match even when
  newlines appear in binary data returned by the service. [Fixed by
  Doug, suggested by Lionel Cons]

4.50 [12/13/07]

o Bumped up the version number to the big 10th anniversary 4.50
  release!  See http://insecure.org/stf/Nmap-4.50-Release.html .

4.49RC7 [12/10/07]

o A Zenmap crash was fixed. Scanning once, then scanning another target
  on the same scan tab caused an ImportError ("list index out of range")
  in zenmapGUI/ScanNotebook.py. Joao Medeiros reported the
  bug. [David]

o Updated a couple of version detection signatures due to problem
  reports by Lionel Cons. [Doug]

4.49RC6 [12/8/07]

o NSE scripts can now be specified by absolute path to the --script
  option.  This was supposed to work before, but didn't. [David]

o Insert a path separator in returned paths in init_scandir on
  Windows.  Otherwise options such as "--scripts=scripts" (where
  scripts is a directory) were failing with error messages about being
  unable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be
  "C:\Nmap\scripts\anonFTP.nse"). [David]

o Add some "local" declarations to xamppDefaultPass.nse to avoid
  errors like: "SCRIPT ENGINE: [string "Global Access"]:1: Attempted
  to change the global 'socket' ..." [David]

o NSE "shortports" function now by default matches ports in the
  "open|filtered" state as well as "open" ones. [Diman]

o Nsock msevent_new and msevent_delete calls fixed to handle NULL I/O
  descriptors.  This should fix a reported bus error crash. [Diman]

o Prevent old bit.dll and pcre.dll files from being installed in
  nselib directory by Windows executable installer.  Bit.dll is still
  installed in nselib-bin where it belongs.  Thanks to Rob Nicholls for
  reporting the problem. [Fyodor]


4.49RC5 [12/8/07]

o Don't install the orphaned and incomplete Zenmap HTML documentation.
  Instead point to the Nmap documentation site, which is provides more
  comprehensive and up-to-date Nmap docs.  We're rapidly improving the
  online Zenmap docs as well.  Of course the Nmap and (new!) Zenmap
  man pages are still installed on Unix. [Fyodor]

o Fix mswin32/Makefile so that the new nselib-bin directory is
  properly included in the Nmap win32 zipfile distribution.  Thanks
  to Rob Nicholls for reporting the problem. [Fyodor]

o Fix host reason reported when the target is found to be "down" due
  to no response. Nmap now reports "no-response" rather than
  "unknown-reason" [Kris]

4.49RC4 [12/7/07]

o David did a huge OS fingerprint integration marathon, going through
  all of your submissions (more than 1600) since August 20.  The 2nd
  generation database has grown more than 30% to 1,085 entries!  Many
  of the existing fingerprints were improved as well.  Notable new or
  greatly improved entries include the iPhone, iPod Touch, Mac OS X
  Leopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70,
  E90, N95), and OpenBSD 4.2.  Of course there were all manner of new
  printers, cable/DSL routers, switches, enterprise routers, IP
  phones, cell phones and a heap of obscure equipment such as the
  BeaconMedaes medical gas alarm.  Windows Vista fingerprints were
  also improved significantly.  Please keep those OS fingerprint
  submissions and corrections coming!

o Doug integrated all of your version detection fingerprints and
  corrections since October 4.  The DB now has an incredible 4,542
  signatures for 449 service protocols.  The service protocols with
  the most signatures are http (1,473), telnet (459), ftp (423), smtp
  (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46)
  and nntp (44).

o Included the netbios-smb-os-discovery.nse script which uses NetBIOS
  and SMB queries to guess OS version.  This script was written by
  Judy Novak and contributed by Sourcefire.

o Canonicalized the interface type numbers used internally by
  libdnet. Also Libdnet now recognizes devices with type
  INTF_TYPE_IEEE80211 as Ethernet devices.  This ought to make
  wireless network scanning work on Windows Vista. For more background
  see http://seclists.org/nmap-dev/2007/q4/0391.html. [David]

o Documented the "--script all" option in the man page and NSE
  article.  This option executes all scripts in the NSE database
  regardless of category. [Fyodor]

o NSE scripts can now be specified by name without the .nse
  extension.  So instead of using "--script
  bruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you can
  just pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris]

o Removed some auto-generated files from the new nselib-bin directory
  as they could cause compatibility problems. Also updated
  mswin32/Makefile to reflect the new nselib-bin DLL location [David]

o ripeQuery.nse was updated to avoid printing some useless
  information. [Kris]

o Compatibility with systems that have the pcre.h header file in its
  own pcre directory should now be fixed for real. [Fyodor]

o Enhanced the radmind service detection signature and added a
  deprecated radmind port to nmap-services. [Matt Selsky]

o Zenmap now gives better errors to stdout when it can't even pop up a
  dialog box (such as when PyGTK can't be loaded). [David]

o Fixed a Zenmap crash which occurred on Mac OS X and possibly other
  platforms.  The error message aid: "object of type
  'ScanHostDetailsPage' has no len()". [David]

o Fixed a crash which occurred when an NSE script called
  set_port_version() at times that version scanning was not
  enabled. [Diman]

o Fixed the NSIS installer so that it does not include some excess
  files (mswin32/* and .svn).  Thanks to Alan Jones for reporting the
  problem. [Fyodor]

o Renamed some Zenmap Python packages to allow Zenmap and Umit to be
  installed at the same time. [David]

o Updated nmap-mac-prefixes with the latest IEEE data.  Also added
  back Cooperative Linux virtual NIC which was inadvertently removed in
  a previous release. [Fyodor]

4.23RC3 [11/27/07]

o Zenmap now has a man page!  It isn't very long yet, but covers the
  basics.  Thanks to David for writing this.

o A new NSE script, promiscuous.nse, scans devices on a local network
  looking for sniffers (devices running in promiscuous mode).  This
  script is from Marek Majkowski and is the first to use the NSE pcap
  extension system (which he also wrote).  The script is only in the
  discovery category for now so it does not run by default.  Specify
  it by name for now.  We may make it default after the upcoming
  stable release.

o Nmap can now handle IP aliases on Windows.  A given device such as
  eth0 might have several IP addresses.  Nmap will use the primary
  address, so you need to use -S if you want to specify a different
  one. [David]

o An exception (rather than luaL_argerror) is now thrown when an SSL
  connection is attempted but OpenSSL isn't available. [David]

o There is now an nmap.have_ssl NSE function so you can avoid doing
  NSE probes when SSL isn't available. [David]

o Zenmap gives clearer error messages when an import error occurs or
  Zenmap's dump files aren't found. [David]

o Zenmap now looks for its data files relative to the directory of the
  zenmap script to allow running from the build/svn directory. [David]

o NSE C modules are now installed into an nselib-bin directory.  This
  was needed to make the dns-test-open-recursion and zoneTrans NSE
  scripts work properly, since they use the NSE bit library
  (bit.so). [Diman, Fyodor]

o Axillary autoconf scripts such as config.guess, config.sub,
  depcomp, install-sh, and ltmain.sh were deleted from Nmap
  subdirectories because configure is smart enough to use the ones from
  the parent directory.  This decreases the Nmap source tarball and svn
  checkout sizes. [David]

o Nmap now compiles on systems which have the libPCRE include file in
  pcre/pcre.h rather than just pcre.h.  Thanks to Lionel Cons for the
  report. [Fyodor]

o Nmap binary is now stripped again, but it now uses -x to avoid
  stripping dynamically loaded NSE functions on Mac OS X. [David]

o Normalized Zenmap's handling of results files specified on the
  command line.  In some cases, Zenmap would ignore specified results
  files just because some unrelated options were used. [David]

o configure.ac now uses literal directory names rather than variable
  references in calls to AC_CONFIG_SUBDIRS.  This removes an annoying
  warning message which has existed for years when you regenerate
  configure. [David]

o Fixed a configure.ac error which prevented you from specifying an
  alternative libnsock directory. [David]

o Check for Python in configure only if Zenmap is requested, and bail
  out if Zenmap is explicitly requested (--with-zenmap) and Python is
  not available. [David]

o Removed some unimplemented Zenmap command-line options and function
  calls. [David]

4.23RC2 [11/18/07]

o Static code analysis company Coverity generously offered to scan the
  Nmap code base for flaws, and Kris volunteered to go through their
  report and fix the ones which were actual/possible problems rather
  than false positives.  Their system proved quite useful, and about a
  dozen potential problems were fixed.  For details, see Kris'
  11/15/07 SVN commits.

o Improved the Zenmap RPM file so that it should work on either Python
  2.4 or Python 2.5 machines.  It should also work on any platform (x86,
  x86_64, etc.) [David]

o WinPcap updated from version 4.0.1 to the new 4.0.2 release. [David]

o Added PPTP version detection NSE script (PPTPversion.nse) from
  Thomas Buchanan.  Nmap now ships with 38 NSE scripts.

o A number of Solaris compilation fixes were added.  Hopefully it
  works for more Solaris users now. We also fixed an alignment issue
  which could cause a bus error on Solaris. [David]

o When an NSE script changes the state of a port (e.g. from
  open|filtered to open), the --reason flag is now changed to
  "script-set".  Also, the port state reason is now available to NSE
  scripts through a "reason" element in the port-table.  Thanks to
  Matthew Boyle for the patch.

o When version detection changes the state of a port, the reason field
  is now updated as well (to udp-response or tcp-response as
  applicable).  Thanks to Thomas Buchanan for the patch.

o Reworded an error message after a woman reported that it was "highly
  offensive and sexist".  She also noted that "times have changed and
  many women now use your software" and "a sexist remark like the one
  above should have no place in software."  The message was: "TCP/IP
  fingerprinting (for OS scan) requires root privileges. Sorry,
  dude.".  I checked svn blame to call out the insensitive,
  chauvinistic jerk who wrote that error message, but it was me :).

o We received a bug report through Debian entitled "Nmap is a
  clairvoyant" because when you run it with -v on September 1 1970, it
  reports "Happy -27th Birthday to Nmap, may it live to be 73!".  We
  have decided that clairvoyance is a feature and ignored the report.

o We no longer strip the Nmap binary before installing it, as that was
  leading to a runtime error on Mac OS X: "lazy symbol binding failed:
  Symbol not found: _luaL_openlib".  Unfortunately, the unstripped
  Nmap binary can be much larger (e.g. 4MB vs. 800KB) so we are
  working on a better fix which allows us to continue stripping the
  binary on other platforms.

o Zenmap configuration/customization files renamed from ~/.umit to
  ~/.zenmap and umit.conf to zenmap.conf, etc. [David]

o Fixed a Zenmap bug  where if you try to edit a profile and then
  click cancel, that profile ends up deleted. [Luis A. Bastiao]

o The NSE shortport rules now allow for multiple matching states
  (e.g. open or open|filtered) to be specified. This silently failed
  before. [Eddie]

o Regenerate configure scripts with Autoconf 2.61 and update
  config.guess and config.sub files with the latest versions from
  http://cvs.savannah.gnu.org/viewvc/config/?root=config . [David]

4.23RC1 [11/10/07]

o NmapFE is now gone.  It had a good run as the default Nmap GUI
  for more than 8 years (since April 1999).  But after two years of
  development, Zenmap is ready to take its place.  Zenmap is portable
  and provides a much better interface to executing and (especially)
  viewing and analyzing Nmap results.  David did the honors of
  removing NmapFE.

o We have lost another old friend as well:  1st generation OS
  detection system.  Nmap revolutionized OS detection when this was
  released in October 1998 and it served us well for more than 9 years
  as the database grew to 1,684 fingerprints.  But the 2nd generation
  system incorporates everything we learned during all those years and
  has proven itself even more effective.  I couldn't bear to kill this
  myself, so David did the dirty work.

o There is no longer any artificial limit on the number of ports or
  protocols that can be used for host discovery. Port lists for ping
  scan now use the same syntax as the -p option except that T:, U:,
  and P: are not allowed. This means that you can do
    nmap -PS1-1000 target
    nmap -PAhttp,https target
    nmap -PU'[-]' target
  [David]

o Zenmap is now available packaged in RPM format.  Since Zenmap is
  written in Python, we no longer have to have separate x86 and x86_64
  versions like we did with NmapFE (and like we still do with
  Nmap). [David]

o Fixed a crash (assertion failure) which could occur during ARP Ping
  scan [Kris]

o Fixed Zenmap so that it can handle asterisks in the command line
  (e.g. "nmap 192.168.*.*" or "nmap -phttp* localhost") [David]

o Change the Zenmap bug report dialogue to now give instructions for
  reporting issues to nmap-dev. [David]

o Modified higwidgets/higdialogs.py for compatibility with old
  versions of PyGTK. [David]

o Updated IANA assignment IP list for random IP (-iR)
  generation. [Kris]

o Fixed a number of spelling errors in the Reference Guide (man page)
  [Doug]

4.22SOC8 [10/28/07]

o Removed the old massping() system, since the functionality has now
  been migrated into the existing ultra_scan() system (which is used
  for port scanning too).  Thanks to David for doing the migration,
  which involved a lot of work and testing.  The new system is
  frequently faster and more accurate than massping(), and some of the
  new algorithms benefit port scans too.

o Renamed Umit to Zenmap to reduce confusion between the version we
  ship with Nmap as the integrated GUI and the version maintained
  separately at umit.sourceforge.net.  We are excited about Zenmap and
  expect to remove NmapFE in the near future

o Integrated all of your Q3 service detection submissions!  We have
  now surpassed 4500 signatures and are approaching 500 service
  protocols.  Wow!  Thanks to Doug for doing the integration.  His
  notes on the crazy and interesting services discovered this quarter
  are at http://hcsw.org/blog.pl/31 .

o Added a new ping type: IPProto Ping.  Use -PO (that is the letter O
  as in prOtOcOl, not a zero).  This is similar to protocol scan (-sO)
  in that it sends IP headers with different protocols in the hope of
  eliciting a response from targets.  The default is to send with
  protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP tunnel), but you can
  specify different protocol numbers on the command line the same way
  you specify TCP/UDP ports to -PS or -PU. To reduce confusion, we now
  recommend that -PN be used when you don't want pings done rather
  than using the old -P0 (zero). [Kris]

o The SMTPcommands.nse script was updated to support the HELP query in
  addition to EHLO [Jason DePriest]

o Added --ttl support for connect() scans (-sT). [Kris]

o Combine the Zenmap setup scripts into one portable setup.py rather
  than having separate versions for Windows, Unix, and Mac OS X.

o Removed a bunch of unnecessary/incomplete code and data files from
  Zenmap. [ David]

o In Nbase, switched from GNU's getopt() replacement functions to
  Ben Sittler's BSD-licensed (but GNU compatible) functions. [Kris]

o Include nmap.h in portreasons.h.  This fixes a compilation problem
  reported on OpenBSD. [David]

o Change PCRE from an NSELib module back to statically linked code due
  to OpenBSD compilation problems.  See
  http://seclists.org/nmap-dev/2007/q4/0085.html [David]

o Fix a problem with --reason printing the wrong host discovery
  reasons when ICMP destination unreachable packets arrived. [Kris]

o Nmap has better dependency tracking now such that it no longer
  builds the executable every time you type 'make'.  This was causing
  problems where 'make; sudo make install' would create a root-owned
  nmap executable because it was rebuilt as part of 'make
  install'. [David]

4.22SOC7 [10/11/07]

o Integrated all of your OS detection new fingerprint submissions and
  correction reports.  The grew more DB more than 18% to 825
  fingerprints.  Keep those submissions coming!  [David]

o Made a number of significant improvements to host discovery
  algorithms for better performance and reliability. [David]

o Fixed a bug which prevented the first OS detection guess from being
  included in XML output.  This only applies when no exact matches
  were found.  Thanks to Martyn Tovey of Netcraft for reporting the
  problem and helping to track it down in the code.

o Improve the script scan scheduling system to prevent the system from
  running out of sockets by executing too many scripts concurrently
  during large scans.  Thanks to Brandon Enright for finding the bug
  and Stoiko for fixing it.

o Added nmap.verbosity() and nmap.debugging() functions for scripts to
  determine the Nmap verbosity/debugging level. [Kris]

o Fixed a crash (assertion error) which occurred when the first hop of
  the first system (reference trace) times out. [Eddie]

o UMIT no longer rewrites a bunch of script files to replace variables
  such as VERSION and REVISION in the SVN working directory. [David,
  Adriano]

o UMIT icon loading code simplified and made platform
  independent. [David]

o Removed PIL dependency from UMIT package generation system.  We now
  use GTK to put the version number in the splash screen. [Adriano]

o UMIT no longer crashes just because documentation files are
  missing. [Adriano]

o Removed unnecessary recent_scans.txt and target_list.txt files from
  UMIT. Some unnecessary copies of Nmap data files were removed as
  well. [David, Adriano]

o Updated the *.dmp preprocessed Nmap data files used by UMIT, and
  also updated the scripts used to create them. [David]

o Winpcap installer was updated so that on Windows Vista it uses a
  different Packet.dll and omits WanPacket.dll. [Eddie]

o Unix installation now places NSELib dynamic libraries in 'libexec'
  rather than 'share' directories, since they are architecture
  dependent.  Thanks to Christoph J. Thompson for the patch.

o Fix bug related to users providing custom libpcre location to
  configure (reported by Daniel Johnson, fixed by Stoiko).  A patch
  from Marek Majkowski which caps the number of sockets opened by NSE
  scripts was also applied.

o The UMIT version number is automatically updated to be the same as
  the Nmap version number rather than always being 0.9.4. [David]

o UMIT now sorts port numbers numerically rather than alphabetically
  [Adriano]

o Three UMIT data files (options.xml, profile_editor.xml, and
  wizard.xml) are installed in the shared UMIT data directory
  (e.g. /usr/share/umit/misc) rather than in every user's ~/.umit
  directory. [David]

o Added HTTPtrace demo NSE script by Kris, who also updated his
  HTTPpasswd script.

o A bunch of capitalization/spelling canonicalization changes were
  made to Nmap output. For example: ftp to FTP and idlescan to
  idle scan.

o Made some improvements to the nmap.xsl stylesheet for converting
  Nmap XML results to HTML reports.  It now does a better job at
  removing empty sections and headers. Thanks to Henrik Lund Kramshoej
  for the patch.

o Updated nmap-mac-prefixes with the latest IEEE data.

o Disabled auto-generation of libpcre/pcre_chartables.c because that
  was useless for our purposes and could also cause some version
  control related problems. [David]

o Updated IANA assignment IP list for random IP (-iR)
  generation. [Kris]

4.22SOC6 [8/29/07]

o Included David's major massping migration project.  The same
  underlying engine is now uses for ping scanning as for port
  scanning.  We hope this will lead to better performance and
  accuracy, as well as helping to de-bloat Nmap.  Please test it out
  and report your results to nmap-dev!  For more details, see
  http://seclists.org/nmap-dev/2007/q3/0277.html

o Fixed UMIT bug which occurred when installing to a non-standard
  directory (e.g. a home directory).  This caused Python to not be able
  to find the necessary files. [Kris]

o Added an NSE script (HTTPpasswd.nse) for finding directory traversal
  problems and /etc/password files on web servers. [Kris]

o Fixed an error related to version scans against SSL services on
  UNIX.  The error said "nsock_connect_ssl called - but nsock was
  built w/o SSL support. QUITTING".  Thanks to Jason DePriest for
  tracking down the problem and David Fifield for fixing it.

o Removed win_dependencies cruft from UMIT directory. [Kris]

o Upgraded Libpcap from version 0.9.4 to 0.9.7 [Kris]

o Removed the effectively empty XML elements for traceroute hops which
  timed out. [Eddie]

o Fixed (I hope) a problem with running Nmap on Mac OS X machines with
  VMWare Fusion running.  The error message started with:
  "getinterfaces: Failed to open ethernet interface (vmnet8). A
  possible cause on BSD operating systems is running out of BPF
  devices ...."  For more details, see
  http://seclists.org/nmap-dev/2007/q3/0254.html.

o Check that --script arguments are reasonable when Nmap starts rather
  than potentially waiting for a bunch of port scanning to finish
  first. [Stoiko]

o Fixed (we hope) a UMIT problem which resulted in the error message:
  "NameError: global name 'S_IRUSR' is not defined". [Adriano]

o Removed an error message which used to appear when you quit UMIT on
  Windows.  The message used to say "Errors occurred - See the logfile
  [filename] for details." [Adriano]

o Fix permissions on files installed by Umit so that it should work
  even if you do 'make install' from an account with a 077 umask.

o Add a feature to Umit that lets you search your unsaved
  scans. [Eddie]

o Added back a previously removed feature which allows you to specify
  'rnd' as one of your decoys (-D option) to let Nmap choose a random
  IP.  You also use a format such as rnd:5 to generate five random
  decoys. [Kris]

o Reference guide (man page) updates to the NSE section, and some
  general cleanup.

o When Nmap finishes, it now says "Nmap done" rather than "Nmap run
  completed".  No need to waste pixels on excess verbiage.

4.22SOC5 [8/18/07]

o The Windows installer should actually install UMIT properly now.

o Remove umit.db from the installation process.  Let Umit create a new
  one on its own when needed.

o Fixed the UMIT portion of the Windows installer build system to
  detect certain heinous errors (like not being able to find Python)
  and bail out. [Kris]

o Prevent scripts directory from containing .svn cruft when using the
  Win32 installer (thanks to David Fifield for the patch).

4.22SOC3 [8/16/07]

o Umit is now included in the Nmap Windows executable installer.
  Please give it a try and let us know what you think!  Kris put a lot
  of work into getting this set up.

o Added four new NSE scripts: HTTP proxy detection (Arturo 'Buanzo'
  Busleiman), DNS zone transfer attempt (Eddie), detecting SQL
  injection vulnerabilities on web sites (Eddie), and fetching and
  displaying portions of /robots.txt from web servers (Eddie).

o All of your 2nd Quarter 2007 Nmap version detection fingerprints
  were integrated by Doug.  The DB now contains 4,347 signatures for
  439 service protocols.  Doug describes the highlights (craziest
  services found) in his integration report at
  http://hcsw.org/blog.pl/29 .

o NSE now supports raw IP packet sending and receiving thanks to a
  patch from Marek Majkowski.  Diman handled testing and applied the
  patch.

o Nmap now has Snprintf() and Vsnprintf() as safer alternatives to the
  standard version.  The problem is that the Windows version of these
  functions (_snprintf, _vsnprintf) doesn't properly terminate strings
  when it has to truncate them.  These wrappers ensure that the string
  written is always truncated.  Thanks to Kris for doing the work.

o Upgraded libpcre from version 6.7 to 7.2 [Kris]

o Merged various Umit bug fixes from SourceForge trunk: "missing import
  webbrowser on umit", "Missing markup in 'OS Class' on
  HostDetailsPage", "some command line options are now working
  (target, profile, verbose, open result file and run an nmap
  command)", "removing unused functions import from os.path",
  "verbosity works on command line"

o Eddie fixed several Umit bugs.  Umit now sets the file save
  extension to .usr unless the user specifies something else. The
  details highlight regular expression was improved and an error message was added
  when no target was specified and -iR and -iL aren't used.

o reason.cc/reason.h renamed to portreasons.cc/.h because a reason.h
  in the Windows platform SDK was causing conflicts. [Kris]

o Fixed a bug in --iflist which would lead to crashes.  Thanks to
  Michael Lawler for the report, and Eddie for the fix.

o Finished updating Winpcap to 4.01 (a few static libraries were
  missed) [ Eddie ]

o Added NSE support for buffered data reads. [Stoiko]

o Added new --script-args option for passing arguments to NSE scripts
  [Stoiko]

o Performed a bunch of OS fingerprint text canonicalization thanks to
  reports of dozens of capitalization inconsistencies from Suicidal Bob.

o Fixed an assertion failure which could be experienced when script
  scan was requested without also requesting version scan. [Stoiko]

o Fixed an output bug on systems like Windows which return -1 when
  vsnprintf is passed a too-small buffer rather than returning the
  size needed.  Thanks to jah (jah(a)zadkiel.plus.com) for the report.

o Added sys/types.h include to portreasons.h to help OpenBSD compilation.  
  Thanks to Olivier Meyer for the patch.

o Many hard coded function names and instances of __FUNCTION__ were
  changed to __func__ [Kris]

o Configure scripts for Nmap, Nbase, and Nsock were optimized to
  remove redundant checks.  This improves compilation time
  performance. [Eddie]

o Updated IANA assignment IP list for random IP (-iR)
  generation. [Kris]

4.22SOC2 [7/11/07]

o NSE compilation fixes by Stoiko and Kris

4.22SOC1 [7/8/07]

o The UMIT graphical Nmap frontend is now included (as an ALPHA TEST
  release) with the Nmap tarball distribution.  It isn't yet in the
  RPMs or the Windows distributions.  UMIT is written with Python/GTK
  and has many huge advantages over NmapFE.  It installs from the Nmap
  source tarballs as part of the "make install" process unless you
  specify --without-umit to configure.  Please give UMIT a try (the
  executable is named umit) and let us know the results!  We hope to
  include UMIT in the Windows Nmap distributions soon.

o Added more Nmap Scripting Engine scripts, bringing the total to 31.
  The new ones are bruteTelnet (Eddie Bell), SMTPcommands (Jason
  DePriest), iax2Detect (Jason), nbstat (Brandon Enright),
  SNMPsysdescr (Thomas Buchanan), HTTPAuth (Thomas), finger (Eddie),
  ircServerInfo (Doug Hoyte), and MSSQLm (Thomas Buchanan).

o Added the --reason option which explains WHY Nmap assigned a port
  status.  For example, a port could be listed as "filtered" because
  no response was received, or because an ICMP network unreachable
  message was received. [ Eddie ]

o Integrated all of your 2nd generation OS detection submissions,
  increasing the database size by 68% since 4.21ALPHA4 to 699
  fingerprints.  The 2nd generation database is now nearly half (42%)
  the size of the original.  Please keep those submissions coming so
  that we can do another integration round before the SoC program ends
  on August 20!  Thanks to David Fifield for doing most of the
  integration work!

o Integrated version detection submissions.  The database has grown by
  more than 350 signatures since 4.21ALPHA4.  Nmap now has 4,236
  signatures for 432 service protocols.  As usual, Doug Hoyte deserves
  credit for the integration marathon, which he describes at
  http://hcsw.org/blog.pl .

o Added the NSE library (NSELib) which is a library of useful
  functions (which can be implemented in LUA or as loadable C/C++
  modules) for use by NSE scripts.  We already have libraries for bit
  operations (bit), list operations (listop), URL fetching and
  manipulation (url), activation rules (shortport), and miscellaneous
  commonly useful functions (stdnse).  Stoiko added the underlying
  functionality, though numerous people contributed to the library
  routines.

o Added --servicedb and --versiondb command-line options which allow
  you to specify a custom Nmap services (port to port number translation
  and port frequency) file or version detection database. [ David
  Fifield ]

o The build dependencies were dramatically reduced by removing
  unnecessary header includes and moving header includes from .h
  files to .cc as well as adding some forward declarations.  This
  reduced the number of makefile.dep dependencies from 1469 to 605.
  This should make Nmap compilation faster and prevent some
  portability problems. [David Fifield]

o Upgraded from WinPcap 3.1 to WinPcap 4.01 and fixed a WinPcap installer
  error. [Eddie]

o In verbose mode, Nmap now reports where it obtains data files (such as
  nmap-services) from. [David Fifield]

o Canonicalized a bunch of OS classes, device types, etc. in the OS
  detection and version scanning databases so they are named
  consistently. [Doug]

o If we get a ICMP Protocol Unreachable from a host other than our
  target during a port scan, we set the state to 'filtered' rather than
  'closed'. This is consistent with how port unreachable errors work for
  udp scan. [Kris]

o Relocated OSScan warning message (could not find 1 closed and 1 open
  port). Now output.cc prints the warning along with a targets OSScan 
  results. [Eddie]

o Fixed a bug which caused port 0 to be improperly used for gen1 OS
  detection in some cases when your scan includes port 0 (it isn't
  included by default).  Thanks to Sebastian Wolfgarten for the report
  and Kris Katterjohn for the fix.

o The --iflist table now provides Winpcap device names on
  Windows. [Eddie]

o The Nmap reference guide (man page) DocBook XML source is now in the
  SVN repository at svn://svn.insecure.org/nmap/docs/refguide.xml .

o NSE now has garbage collection so that if you forget to close a
  socket before exiting a script, it is closed for you. [Stoiko]

o The [portused] tag in XML output now provides the open TCP port used
  for OS detection as well as the closed TCP and UDP ports which were
  reported previously. [Kris]

o XML output now has a [times] tag for reporting final time
  information which was already printed in normal output in verbose
  mode (round trip time, rtt variance, timeout, etc.) [Kris]

o Changed the XML output format so that the [extrareasons] tag (part
  of Eddie's --reason patch) falls within the [extraports] tag. [Kris]

o Nmap now provides more concise OS fingerprints for submission thanks
  to better merging. [David Fifield]

o A number of changes were made to the Windows build system to handle
  version numbers, publisher field, add/remove program support,
  etc. [Eddie]

o The Nmap -A option now enables the traceroute option too [Eddie]

o Improved how the Gen1 OS Detection system selects which UDP ports to
  send probes to.  [Kris]

o Updated nmap-mac-prefixes to latest IEEE data as of 5/18/07. Also
  removed some high (greater than 0x80) characters from some company
  names because they were causing this error on Windows when Nmap is
  compiled in Debug mode: 
  isctype.c Line 56: Expression: (unsigned)(c + 1) <= 256".
  Thanks to Sina Bahram for the initial report and Thomas Buchanan for
  tracking down the problem.

o Added a SIP (IP phone) probe from Matt Selsky to nmap-service-probes.

o Fixed a bug which prevented the NSE scripts directory from appearing
  in the Win32 .zip version of Nmap.

o Fixed a bug in --traceroute output.  It occurred when a traced host could
  be fully consolidated, but only the first hop number was outputted. [Kris]

o The new "rnd" option to -D allows you to ask Nmap to generate random
  decoy IPs rather having to specify them all yourself. [Kris]

o Fixed a Traceroute bug relating to scanning through the localhost
  interface on Windows (which previously caused a crash).  Thanks to
  Alan Jones for the report and Eddie Bell for the fix.

o Fixed a traceroute bug related to tracing between interfaces of a
  multi-homed host.  Thanks to David Fifield for reporting the problem
  and Eddie Bell for the fix.

o Service detection (-sV) and OS detection (-O) are now (rightfully)
  disabled when used with the IPProto Scan (-sO).  Using the Service
  Scan like this led to premature exiting, and the OS Scan led to gross
  inaccuracies.  [Kris]

o Updated IANA assignment IP list for random IP (-iR) generation. [Kris]

4.21ALPHA4 [3/20/07]

o Performed another big OS detection run.  The DB has grown almost 10%
  to 417 fingerprints.  All submissions up to February 6 have been
  processed.  Please keep them coming!

o Fixed XML output so that the opening [os] tag is printed again.  The
  line which prints this was somehow removed when NSE was integrated.
  Thanks to Joshua Abraham for reporting the problem.

o Fixed a small bug in traceroute progress output which didn't
  properly indicate completion. [Kris]

o Fixed a portability problem related to the new traceroute
  functionality so that it compiles on Mac OS X.  Thanks to Christophe
  Thil for reporting the problem and sending the 1-line fix.

o Updated nmap-mac-prefixes to include the latest MAC prefix (OUI)
  data from the IEEE as of March 20, 2007.

4.21ALPHA3 [3/16/07]

o Just fixed a packaging problem with the 4.21ALPHA2 release (thanks
  to Alan Jones for reporting it).

4.21ALPHA2 [3/15/07]

o Performed a huge OS detection submission integration marathon.  More
  than 500 submissions were processed, increasing the 2nd generation
  OS DB size 65% to 381 fingerprints.  And many of the existing ones
  were improved.  We still have a bit more than 500 submissions (sent
  after January 16) to process.  Please keep those submissions coming!

o Integrated all of your Q32006 service fingerprint submissions.  The
  nmap-service-probe DB grew from 3,671 signatures representing 415
  service protocols to 3,877 signatures representing 426 services.  Big
  thanks to version detection czar Doug Hoyte for doing this.  Notable
  changes are described at http://hcsw.org/blog.pl?a=20&b=20 .

o Nmap now has traceroute support, thanks to an excellent patch by
  Eddie Bell. The new system uses Nmap data to determine which sort of
  packets are most likely to slip through the target network and
  produce useful results.  The system is well optimized for speed and
  bandwidth efficiency, and the clever output system avoids repeating
  the same initial hops for each target system.  Enable this
  functionality by specifying --traceroute.

o Nmap now has a public Subversion (SVN) source code repository.  See
  the announcement at http://seclists.org/nmap-dev/2006/q4/0253.html
  and then the updated usage instructions at
  http://seclists.org/nmap-dev/2006/q4/0281.html .

o Fixed a major accuracy bug in gen1 OS detection (some debugging code
  was accidentally left in).  Thanks to Richard van den Berg for finding
  the problem.

o Changed the IP protocol scan so that it sends proper IGMP headers when
  scanning that protocol.  This makes it much more likely that the host
  will respond, proving that it's "open".  [Kris]

o Improved the algorithm for classifying the TCP timestamp frequency
  for OS detection.  The new algorithm is described at
  http://nmap.org/osdetect/osdetect-methods.html#osdetect-ts .

o Fixed the way Nmap detects whether one of its data files (such as
  nmap-services) exists and has permissions which allow it to be read.

o Added a bunch of nmap-services port listings from Stephanie Wen.

o Update IANA assignment IP list for random IP (-iR) generation.
  Thanks to Kris Katterjohn for the patch.

o Fix nmap.xsl (the transform for rendering Nmap XML results as HTML)
  to fix some bugs related to OS detection output.  Thanks to Tom
  Sellers for the patch.

o Fixed a bug which prevented the --without-liblua compilation option
  from working.  Thanks to Kris Katterjohn for the patch.

o Fixed a bug which caused nmap --iflist to crash (and might have
  caused crashes in other circumstances too).  Thanks to Kris
  Katterjohn for the report and Diman Todorov for the fix.

o Applied a bunch of code cleanup patches from Kris Katterjohn.

o Some scan types were fixed when used against localhost. The UDP Scan
  doesn't find it's own port, the TCP Scan won't print a message (with -d)
  about an unexpected packet (for the same reason), and the IPProto Scan
  won't list every port as "open" when using --data-length >= 8.  [Kris]

o The IPProto Scan should be more accurate when scanning protocol 17 (UDP).
  ICMP Port Unreachables are now checked for, and UDP is listed as "open"
  if it receives one rather than "open|filtered" or "filtered".  [Kris]

o The --scanflags option now also accepts "ECE", "CWR", "ALL" and "NONE" as
  arguments.  [Kris]

o The --packet-trace option was added to NmapFE.  The Ordered Ports (-r)
  option in now available to non-root users on NmapFE as well. [Kris]

4.21ALPHA1 [12/10/06]

o Integrated the Nmap Scripting Engine (NSE) into mainline Nmap.
  Diman Todorov and I have been working on this for more than six months, and
  we hope it will expand Nmap's capabilities in many cool ways.  We're
  accepting (and writing) general purpose scripts to put into Nmap
  proper, and you can also write personal scripts to deal with issues
  specific to your environment.  The system is documented at
  http://nmap.org/nse/ .

o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
  (http://standards.ieee.org/regauth/oui/oui.txt) as of December 7.

4.20 [12/7/06]

o Integrated the latest OS fingerprint submissions.  The 2nd
  generation DB size has grown to 231 fingerprints.  Please keep them
  coming!  New fingerprints include Mac OS X Server 10.5 pre-release,
  NetBSD 4.99.4, Windows NT, and much more.

o Fixed a segmentation fault in the new OS detection system
  which was reported by Craig Humphrey and Sebastian Garcia.

o Fixed a TCP sequence prediction difficulty indicator bug. The index
  is supposed to go from 0 ("trivial joke") to about 260 (OpenBSD).
  But some systems generated ISNs so insecurely that Nmap went
  berserk and reported a negative difficulty index.  This generally
  only affects some printers, crappy cable modems, and Microsoft
  Windows (old versions).  Thanks to Sebastian Garcia for helping me
  track down the problem.

4.20RC2 [12/2/06]

o Integrated all of your OS detection submissions since RC1.  The DB
  has increased 13% to 214 fingerprints.  Please keep them coming!
  New fingerprints include versions of z/OS, OpenBSD, Linux, AIX,
  FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers and
  misc. devices.  We also got our first Windows 95 fingerprint,
  submitted anonymously of course :).

o Fixed (I hope) the "getinterfaces: intf_loop() failed" error which
  was seen on Windows Vista.  The problem was apparently in
  intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to
  MAX_IF_TYPE rather than 32).  Thanks to Dan Griffin
  (dan(a)jwsecure.com) for tracking this down!

o Applied a couple minor bug fixes for IP options
  support and packet tracing.  Thanks to Michal Luczaj
  (regenrecht(a)o2.pl) for reporting them.

o Incorporated SLNP (Simple Library Network Protocol) version
  detection support.  Thanks to Tibor Csogor (tibi(a)tiborius.net) for
  the patch.

4.20RC1 [11/20/06]

o Fixed (I hope) a bug related to Pcap capture on Mac OS X.  Thanks to
  Christophe Thil for reporting the problem and to Kurt Grutzmacher
  and Diman Todorov for helping to track it down.

o Integrated all of your OS detection submissions since ALPHA11.  The
  DB has increased 27% to 189 signatures.  Notable additions include
  the Apple Airport Express, Windows Vista RC1, OpenBSD 4.0, a Sony
  TiVo device, and tons of broadband routers, printers, switches, and
  Linux kernels.  Keep those submissions coming!

o Upgraded the included LibPCRE from version 6.4 to 6.7.  Thanks to
  Jochen Voss (voss(a)seehuhn.de) for the suggestion (he found some bugs
  in 6.4)

4.20ALPHA11 [11/2/06]

o Integrated all of your OS detection submissions, bringing the
  database up to 149 fingerprints.  This is an increase of 28% from
  ALPHA10.  Notable additions include FreeBSD 6.1, a bunch of HP
  LaserJet printers, and HP-UX 11.11.  We also got a bunch of more
  obscure submissions like Minix 3.1.2a and "Ember InSight Adapter for
  programming EM2XX-family embedded devices".  Who doesn't have a few
  of those laying around?  I'm hoping that all the obscure submissions
  mean that more of the mainstream systems are being detected out of
  the box!  Please keep those submissions (obscure or otherwise)
  coming!

4.20ALPHA10 [10/23/06]

o Integrated tons of new OS fingerprints.  The DB now contains 116
  fingerprints, which is up 63% since the previous version.  Please keep
  the submissions coming!

4.20ALPHA9 [10/13/06]

o Integrated the newly submitted OS fingerprints. The DB now contains
  71 fingerprints, up 27% from 56 in ALPHA8.  Please keep them coming!
  We still only have 4.2% as many fingerprints as the gen1 database.

o Added the --open option, which causes Nmap to show only open ports.
  Ports in the states "open|closed" and "unfiltered" might be open, so
  those are shown unless the host has an overwhelming number of them.

o Nmap gen2 OS detection used to always do 2 retries if it fails to
  find a match.  Now it normally does just 1 retry, but does 4 retries
  if conditions are good enough to warrant fingerprint submission.
  This should speed things up on average.  A new --max-os-tries option
  lets you specify a higher lower maximum number of tries.

o Added --unprivileged option, which is the opposite of --privileged.
  It tells Nmap to treat the user as lacking network raw socket and
  sniffing privileges.  This is useful for testing, debugging, or when
  the raw network functionality of your operating system is somehow
  broken.

o Fixed a confusing error message which occured when you specified a
  ping scan or list scan, but also specified -p (which is only used for
  port scans).  Thanks to Thomas Buchanan for the patch.

o Applied some small cleanup patches from Kris Katterjohn

4.20ALPHA8 [9/30/06]

o Integrated the newly submitted OS fingerprints.  The DB now contains
  56, up 33% from 42 in ALPHA7.  Please keep them coming!  We still only
  have 3.33% as many signatures as the gen1 database.

o Nmap 2nd generation OS detection now has a more sophisticated
  mechanism for guessing a target OS when there is no exact match in the
  database (see http://nmap.org/osdetect/osdetect-guess.html )

o Rewrote mswin32/nmap.rc to remove cruft and hopefully reduce some
  MFC-related compilation problems we've seen.  Thanks to KX
  (kxmail(a)gmail.com) for doing this.

o NmapFE now uses a spin button for verbosity and debugging options so
  that you can specify whatever verbosity (-v) or debugging (-d) level
  you desire.  The --randomize-hosts option was also added to NmapFE.
  Thanks to Kris Katterjohn for the patches.

o A dozen or so small patches to Nmap and NmapFE by Kris Katterjohn.

o Removed libpcap/Win32 and libpcap/msdos as Nmap doesn't use them.
  This reduces the Nmap tar.bz2 by about 50K.  Thanks to Kris Katterjohn
  for the suggestion.

4.20ALPHA7 [9/12/06]

o Did a bunch of Nmap 2nd generation fingerprint integration work.
  Thanks to everyone who sent some in, though we still need a lot more.
  Also thanks to Zhao for a bunch of help with the integration tools.
  4.20ALPHA6 had 12 fingerprints, this new version has 42.  The old DB
  (still included) has 1,684.

o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
  (http://standards.ieee.org/regauth/oui/oui.txt) as of September 6, 2006.
  Also added the unregistered PearPC virtual NIC prefix, as suggested
  by Robert Millan (rmh(a)aybabtu.com).

o Applied some small internal cleanup patches by Kris Katterjohn.

4.20ALPHA6 [9/2/06]

o Fixed a bug in 2nd generation OS detection which would (usually) prevent
  fingerprints from being printed when systems don't respond to the 1st
  ICMP echo probe (the one with bogus code value of 9).  Thanks to
  Brandon Enright for reporting and helping me debug the problem.

o Fixed some problematic Nmap version detection signatures which could
  cause warning messages. Thanks to Brandon Enright for the initial patch.

4.20ALPHA5 [8/31/06]

o Worked with Zhao to improve the new OS detection system with
  better algorithms, probe changes, and bug fixes.  We're
  now ready to start growing the new database!  If Nmap gives you
  fingerprints, please submit them at the given URL.  The DB is still
  extremely small.  The new system is extensively documented at
  http://nmap.org/osdetect/ .

o Nmap now supports IP options with the new --ip-options flag.  You
  can specify any options in hex, or use "R" (record route), "T"
  (record timestamp), "U") (record route & timestamp), "S [route]"
  (strict source route), or "L [route]" (loose source route).  Specify
  --packet-trace to display IP options of responses.  For further
  information and examples, see http://nmap.org/man/ and
  http://seclists.org/nmap-dev/2006/q3/0052.html .  Thanks to Marek
  Majkowski for writing and sending the patch.

o Integrated all 2nd quarter service detection fingerprint
  submissions.  Please keep them coming!  We now have 3,671 signatures
  representing 415 protocols.   Thanks to version detection czar Doug
  Hoyte for doing this.

o Nmap now uses the (relatively) new libpcap pcap_get_selectable_fd
  API on systems which support it.  This means that we no longer need
  to hack the included Pcap to better support Linux.  So Nmap will now
  link with an existing system libpcap by default on that platform if
  one is detected.  Thanks to Doug Hoyte for the patch.

o Updated the included libpcap from 0.9.3 to 0.9.4.  The changes I
  made are in libpcap/NMAP_MODIFICATIONS .  By default, Nmap will now
  use the included libpcap unless version 0.9.4 or greater is already
  installed on the system.

o Applied some nsock bugfixes from Diman Todorov.  These don't affect
  the current version of Nmap, but are important for his Nmap
  Scripting Engine, which I hope to integrate into mainline Nmap in
  September.

o Fixed a bug which would occasionally cause Nmap to crash with the
  message "log_vwrite: write buffer not large enough".  I thought I
  conquered it in a previous release -- thanks to Doug Hoyte for finding a
  corner case which proved me wrong.

o Fixed a bug in the rDNS system which prevented us from querying
  certain authoritative DNS servers which have recursion explicitly
  disabled.  Thanks to Doug Hoyte for the patch.

o --packet-trace now reports TCP options (thanks to Zhao Lei for the
  patch).  Thanks to the --ip-options addition also found in this
  release, IP options are printed too.

o Cleaned up Nmap DNS reporting to be a little more useful and
  concise.  Thanks to Doug Hoyte for the patch.

o Applied a bunch of small internal cleanup patches by Kris Katterjohn
  (katterjohn(a)gmail.com).

o Fixed the 'distclean' make target to be more comprehensive.  Thanks
  to Thomas Buchanan (Thomas.Buchanan(a)thecompassgrp.net) for the
  patch.

Nmap 4.20ALPHA4 [7/4/06]

o Nmap now provides progress statistics in the XML output in verbose
  mode.  Here are some examples of the format (etc is "estimated time
  until completion) and times are in UNIX time_t (seconds since 1970)
  format. Angle braces have been replaced by square braces:
  [taskbegin task="SYN Stealth Scan" time="1151384685" /]
  [taskprogress task="SYN Stealth Scan" time="1151384715"
                percent="13.85" remaining="187" etc="1151384902" /]
  [taskend task="SYN Stealth Scan" time="1151384776" /]
  [taskbegin task="Service scan" time="1151384776" /]
  [taskend task="Service scan" time="1151384788" /]
  Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.

o Updated the Windows installer to give an option checkbox for
  performing the Nmap performance registry changes.  The default is to
  do so.  Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.

o Applied several code cleanup patches from Marek Majkowski.

o Added --release-memory option, which causes Nmap to release all
  accessible memory buffers before quitting (rather than let the OS do
  it).  This is only useful for debugging memory leaks.

o Fixed a bug related to bogus completion time estimates when you
  request an estimate (through runtime interaction) right when Nmap is
  starting.a subsystem (such as a port scan or version detection).
  Thanks to Diman Todorov for reporting the problem and Doug Hoyte for
  writing a fix.

o Nmap no longer gets random numbers from OpenSSL when it is available
  because that turned out to be slower than Nmap's other methods
  (e.g. /dev/urandom on Linux, /dev/arandom on OpenBSD, etc.).  Thanks
  to Marek Majkowski for reporting the problem.

o Updated the Windows binary distributions (self-installer and .zip)
  to include the new 2nd generation OS detection DB (nmap-os-db).
  Thanks to Sina Bahram for reporting the problem.

o Fixed the --max-retries option, which wasn't being honored.  Thanks
  to Jon Passki (jon.passki(a)hursk.com) for the patch.

Nmap 4.20ALPHA3 [6/29/06]

o Added back Win32 support thanks to a patch by KX

o Fixed the English translation of TCP sequence difficulty reported by
  Brandon Enright, and also removed fingerprint printing for 1st
  generation fingerprints (I don't really want to deal with those
  anymore).  Thanks to Zhao Lei for writing this patch.

o Fix a problem which caused OS detection to be done in some cases
  even if the user didn't request it.  Thanks to Diman Todorov for the
  fix.

Nmap 4.20ALPHA2 [6/24/06]

o Included nmap-os-db (the new OS detection DB) within the release.
  Oops!  Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for catching
  this problem with 4.20ALPHA1.

o Added a fix for the crash in the new OS detection which would come
  with the message "Probe doesn't exist! Probe type: 1. Probe subid: 1"

Nmap 4.20ALPHA1 [6/24/06]

o Integrated initial 2nd generation OS detection patch!  The system is
  documented at http://nmap.org/osdetect/ .  Thanks to Zhao Lei
  for helping with the coding and design.

o portlist.cc was refactored to remove some code duplication.  Thanks
  to Diman Todorov for the patch.

Nmap 4.11 [6/23/06]

o Added a dozens of more detailed SSH version detection signatures, thanks
  to a SSH huge survey and integration effort by Doug Hoyte.  The
  results of his large-scale SSH scan are posted at 
  http://seclists.org/nmap-dev/2006/Apr-Jun/0393.html .

o Fixed the Nmap Makefile (actually Makefile.in) to correctly handle
  include file dependencies.  So if a .h file is changed, all of the
  .cc files which depend on it will be recompiled.  Thanks to Diman
  Todorov (diman(a)xover.mud.at) for the patch.

o Fixed a compilation problem on solaris and possibly other platforms.
  The error message looked like "No rule to make target `inet_aton.o',
  needed by `libnbase.a'".  Thanks to Matt Selsky
  (selsky(a)columbia.edu) for the patch.

o Applied a patch which helps with HP-UX compilation by linking in the
  nm library (-lnm).  Thanks to Zakharov Mikhail
  (zmey20000(a)yahoo.com) for the patch.

o Added version detection probes for detecting the Nessus daemon.
  Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch.

Nmap 4.10 [6/12/06]

o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
  (http://standards.ieee.org/regauth/oui/oui.txt) as of May 31, 2006.
  Also added a couple unregistered OUI's (for QEMU and Bochs)
  suggested by Robert Millan (rmh(a)aybabtu.com).

o Fixed a bug which could cause false "open" ports when doing a UDP
  scan of localhost. This usually only happened when you scan tens of
  thousands of ports (e.g. -p- option).

o Fixed a bug in service detection which could lead to a crash when
  "--version-intensity 0" was used with a UDP scan.  Thanks to Makoto
  Shiotsuki (shio(a)st.rim.or.jp) for reporting the problem and Doug
  Hoyte for producing a patch.

o Made some AIX and HP-UX portability fixes to Libdnet and NmapFE.
  These were sent in by Peter O'Gorman
  (nmap-dev(a)mlists.thewrittenword.com).

o When you do a UDP+TCP scan, the TCP ports are now shown first (in
  numerical order), followed by the UDP ports (also in order).  This
  contrasts with the old format which showed all ports together in
  numerical order, regardless of protocol.  This was at first a "bug",
  but then I started thinking this behavior may be better.  If you
  have a preference for one format or the other, please post your
  reasons to nmap-dev.

o Changed mass_dns system to print a warning if it can't find any
  available DNS servers, but not quit like it used to.  Thanks to Doug
  Hoyte for the patch.

Nmap 4.04BETA1 [5/31/06]

o Integrated all of your submissions (about a thousand) from the first
  quarter of this year!  Please keep 'em coming!  The DB has increased
  from 3,153 signatures representing 381 protocols in 4.03 to 3,441
  signatures representing 401 protocols.  No other tool comes close!
  Many of the already existing match lines were improved too.  Thanks
  to Version Detection Czar Doug Hoyte for doing this.

o Nmap now allows multiple ignored port states.  If a 65K-port scan
  had, 64K filtered ports, 1K closed ports, and a few dozen open
  ports, Nmap used to list the dozen open ones among a thousand lines
  of closed ports.  Now Nmap will give reports like "Not shown: 64330
  filtered ports, 1000 closed ports" or "All 2051 scanned ports on
  192.168.0.69 are closed (1051) or filtered (1000)", and omit all of
  those ports from the table.  Open ports are never ignored.  XML
  output can now have multiple [extraports] directive (one for each
  ignored state).  The number of ports in a single state before it is
  consolidated defaults to 26 or more, though that number increases as
  you add -v or -d options.  With -d3 or higher, no ports will be
  consolidated.  The XML output should probably be augmented to give
  the extraports directive 'ip', 'tcp', and 'udp' attributes which
  specify the corresponding port numbers in the given state in the
  same listing format as the nmaprun.scaninfo.services attribute, but
  that part hasn't yet been implemented.  If you absoultely need the
  exact port numbers for each state in the XML, use -d3 for now.

o Nmap now ignores certain ICMP error message rate limiting (rather
  than slowing down to accomidate it) in cases such as SYN scan where
  an ICMP message and no response mean the same thing (port filtered).
  This is currently only done at timing level Aggressive (-T4) or
  higher, though we may make it the default if we don't hear problems
  with it.  In addition, the --defeat-rst-ratelimit option has been
  added, which causes Nmap not to slow down to accomidate RST rate
  limits when encountered.  For a SYN scan, this may cause closed
  ports to be labeled 'filtered' becuase Nmap refused to slow down
  enough to correspond to the rate limiting.  Learn more about this
  new option at http://nmap.org/man/ .  Thanks to Martin
  Macok (martin.macok(a)underground.cz) for writing the patch that
  these changes were based on.

o Moved my Nmap development environment to Visual C++ 2005 Express
  edition.  In typical "MS Upgrade Treadmill" fashion, Visual Studio
  2003 users will no longer be able to compile Nmap using the new
  solution files.  The compilation, installation, and execution
  instructions at http://nmap.org/install/inst-windows.html have been
  upgraded.  

o Automated my Windows build system so that I just have to type a
  single make command in the mswin32 directory.  Thanks to Scott
  Worley (smw(a)pobox.com>, Shane & Jenny Walters
  (yfisaqt(a)waltersinamerica.com), and Alex Prinsier
  (aphexer(a)mailhaven.com) for reading my appeal in the 4.03
  CHANGELOG and assisting.

o Changed the PortList class to use much more efficient data
  structures and algorithms which take advantage of Nmap-specific
  behavior patterns.  Thanks to Marek Majkowski
  (majek(a)forest.one.pl) for the patch.

o Fixed a bug which prevented certain TCP+UDP scan commands, such as
  "nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP.
  Instead they gave the error message "WARNING: UDP scan was requested,
  but no udp ports were specified.  Skipping this scan type".  Thanks to
  Doug Hoyte for the patch.

o Nmap has traditionally required you to specify -T* timing options
  before any more granular options like --max-rtt-timeout, otherwise the
  general timing option would overwrite the value from your more
  specific request.  This has now been fixed so that the more specific
  options always have precendence.  Thanks to Doug Hoyte for this patch.

o Fixed a couple possible memory leaks reported by Ted Kremenek
 (kremenek(a)cs.stanford.edu) from the Stanford University sofware
 static analysis lab ("Checker" project).

o Nmap now prints a warning when you specify a target name which
  resolves to multiple IP addresses.  Nmap proceeds to scan only the
  first of those addresses (as it always has done).  Thanks to Doug
  Hoyte for the patch.  The warning looks like this:
  Warning: Hostname google.com resolves to 3 IPs. Using 66.102.7.99.

o Disallow --host-timeout values of less than 1500ms, print a warning
  for values less than 15s.

o Changed all instances of inet_aton() into calls to inet_pton()
  instead.  This allowed us to remove inet_aton.c from nbase.  Thanks to
  KX (kxmail(a)gmail.com) for the patch.

o When debugging (-d) is specified, Nmap now prints a report on the
  timing variables in use.  Thanks to Doug Hoyte for the patch.  The
  report loos like this:
  ---------- Timing report ----------
    hostgroups: min 1, max 100000
    rtt-timeouts: init 250, min 50, max 300
    scan-delay: TCP 5, UDP 1000
    parallelism: min 0, max 0
    max-retries: 2, host-timeout 900000
  -----------------------------------

o Modified the WinPcap installer file to explicitly uninstall an
  existing WinPcap (if you select that you wish to replace it) rather
  than just overwriting the old version.  Thanks to Doug Hoyte for
  making this change.

o Added some P2P application ports to the nmap-services file.  Thanks
  to Martin Macok for the patch.

o The write buffer length increased in 4.03 was increased even further
  when the debugging or verbosity levels are more than 2 (e.g. -d3).
  Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for the patch.  The
  goal is to prevent you from ever seeing the fatal error:
  "log_vwrite: write buffer not large enough -- need to increase"

o Added a note to the Nmap configure dragon that people sick of him
  can submit their own ASCII art to nmap-dev@insecure.org .  If you
  are wondering WTF I am talking about, it is probably because only
  most elite Nmap users -- the ones who compile from source on UNIX --
  get to see the 'l33t ASCII Art.

Nmap 4.03 [4/22/06]

o Updated the LibPCRE build system to add the -fno-thread-jumps option
  to gcc when compiling on the new Intel-based Apple Mac OS X systems.
  Hopefully this resolves the version detection crashes that several
  people have reported on such systems.  Thanks to Kurt Grutzmacher
  (grutz(a)jingojango.net) for sending the configure.ac patch.

o Made some portability fixes to keep Nmap compiling with the newest
  Visual Studio 2005.  Thanks to KX (kxmail(a)gmail.com) for
  suggesting them.

o Service fingerprints are now provided in the XML output whenever
  they would appear in the interactive output (i.e. when a service
  response with data but is unrecognized).  They are shown in a new
  'servicefp' attribute to the 'service' tag.  Thanks to Brandon Enright
  (bmenrigh(a)ucsd.edu) for sending the patch.

o Improved the Windows build system -- mswin32/Makefile now takes care
  of packaging Nmap and creating the installers once Visual Studio (GUI)
  is done building the Release version of mswin32/nmap.sln.  If someone
  knows how to do this (build) step on the command line (using the
  Makefile), please let me know.  Or if you know how to at least make
  'Release' (rather than Debug) the default configuration, that would be
  valuable.

o WinPcap 3.1 binaries are now shipped in the Nmap tarball, along with
  a customized installer written by Doug Hoyte.  That new WinPcap
  installer is now used by the Nmap self-installer (if you request
  WinPcap installation).  Some Nmap users were uncomfortable with a
  "phone home" feature of the official WinPcap installer.  It connects
  back to CACE Technologies, ostensibly to display news and (more
  recently) advertisements.  Our new installer omits that feature, but
  should be otherwise perfectly compatible with WinPcap 3.1.

o Fixed (I hope) a problem where aggressive --min-parallelization
  option values could cause Nmap to quit with the message "box(300, 100,
  15) called (min,max,num)".  Thanks to  Richard van den Berg
  (richard.vandenberg(a)ins.com) for reporting the problem.

o Fixed a rare crash bug thanks to a report and patch from Ganga
  Bhavani (GBhavani(a)everdreamcorp.com)

o Increased a write buffer length to keep Nmap from quitting with the
  message "log_vwrite: write buffer not large enough -- need to
  increase".  Thanks to Dave (dmarcher(a)pobox.com) for reporting the
  issue.

Nmap 4.02ALPHA2 [3/8/06]

o Updated to a newer XSL stylesheet (for XML to HTML output
  transformation) by Benjamin Erb.  This new version includes IP
  address sorting, removal of javascript requirements, some new
  address, hostname, and Nmap version information, and various minor
  tweaks and fixes.

o Cleaned up the Amiga port code to use atexit() rather than the
  previous macro hack.  Thanks to Kris Katterjohn (katterjohn(a)gmail.com)
  for the patch.  Applied maybe half a dozen new other code cleanup
  patches from him as well.

o Made some changes to various Nmap initialization functions which
  help ALT Linux (altlinux.org) and Owl (openwall.com) developers run
  Nmap in a chroot environment.  Thanks to Dmitry V. Levin
  (ldv(a)altlinux.org) for the patch.

o Cleaned up the code a bit by making a bunch (nearly 100) global
  symbols (mostly function calls) static.  I was also able to removed
  some unused functions and superfluous config.h.in defines.  Thanks
  to Dmitry V. Levin (ldv(a)altlinux.org) for sending a list of
  candidate symbols.

o Nmap now tests for the existence of data files using stat(2) rather
  than testing whether they can be opened for reading (with fopen).
  This is because some device files (tape drives, etc.) may react badly
  to being opened at all.  Thanks to Dmitry V. Levin
  (ldv(a)altlinux.org) for the suggestion.

o Changed Nmap to cache interface information rather than opening and
  closing it (with dnet's eth_open and eth_close functions) all the
  time.

o Applied a one-character Visual Studio 2005 compatibility patch from
  kx (kxmail(a)gmail.com).  It changed getch() into _getch() on Windows.

Nmap 4.02ALPHA1 [13/3/06]

o Added the --log-errors option, which causes most warnings and error
  messages that are printed to interactive-mode output (stdout/stderr)
  to also be printed to the normal-format output file (if you
  specified one).  This will not work for most errors related to bad
  command-line arguments, as Nmap may not have initialized its output
  files yet.  In addition, some Nmap error/warning messages use a
  different system that does not yet support this option.

o Rewrote much of the Nmap results output functions to be more
  efficient and support --log-errors.

o Fixed a flaw in the scan engine which could (in rare cases)
  lead to a deadlock situation that prevents a scan from completing.
  Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reporting
  and helping to debug the problem.

o If the pcap_open_live() call (initiates sniffing) fails, Nmap now
  tries up to two more times after waiting a little while. This is
  attempt to work around a rare bug on Windows in which the
  pcap_open_live() fails for unknown reasons.

o Fixed a flaw in the runtime interaction in which Nmap would include
  hosts currently being scanned in the number of hosts "completed"
  statistic.

o Fixed a crash in OS scan which could occur on Windows when a DHCP
  lease issue causes the system to lose its IP address.  Nmap still
  quits, but at least it gives a proper error message now.  Thanks to
  Ganga Bhavani (GBhavani(a)everdreamcorp.com) for the patch.

o Applied more than half a dozen small code cleanup patches from
  Kris Katterjohn (katterjohn(a)gmail.com).

o Modified the configure script to accept CXX when specified as an
  absolute path rather than just the executable name.  Thanks to
  Daniel Roethlisberger (daniel(a)roe.ch) for this patch.

Nmap 4.01 [2/9/06]

o Fixed a bug that would cause bogus reverse-DNS resolution on
  big-endian machines.  Thanks to Doug Hoyte, Seth Miller, Tony Doan,
  and Andrew Lutomirsky for helping to debug and patch the problem.

o Fixed an important memory leak in the raw ethernet sending system.
  Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for
  identifying the bug and sending a patch.

o Fixed --system-dns option so that --system_dns works too.  Error
  messages were changed to reflect the former (preferred) name.
  Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and Peter
  VanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) for
  reporting the problem.

o Fixed a crash which would report this message:
  "NmapOutputTable.cc:143: void NmapOutputTable::addItem(unsigned int,
  unsigned int, bool, const char*, int): Assertion `row < numRows'
  failed."  Thanks to Jake Schneider (Jake.Schneider(a)dynetics.com) for
  reporting and helping to debug the problem.

o Whenever Nmap sends packets with the SYN bit set (except for OS
  detection), it now includes the maximum segment size (MSS) tcp
  option with a value of 1460.  This makes it stand out less as almost
  all hosts set at least this option.  Thanks to Juergen Schmidt
  (ju(a)heisec.de) for the suggestion.

o Applied a patch for a Windows interface reading bug in the aDNS
  subsystem from Doug Hoyte.

o Minor changes to recognize DragonFly BSD in configure
  scripts. Thanks to Joerg Sonnenberger (joerg(a)britannica.bec.de)
  for sending the patch.

o Fixed a minor bug in an error message starting with "eth_send of ARP
  packet returned".  Thanks to J.W. Hoogervorst
  (J.W.Hoogervorst(a)uva.nl) for finding this.

Nmap 4.00 [1/31/06]

o Added the '?' command to the runtime interaction system.  It prints a
  list of accepted commands.  Thanks to Andrew Lutomirski
  (luto(a)myrealbox.com) for the patch.

o See the announcement at
  http://www.insecure.org/stf/Nmap-4.00-Release.html for high-level
  changes since 3.50.

Nmap 3.9999 [1/28/06]

o Generated a new libpcre/configure to cope with changes in LibPCRE
  6.4

o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
  (http://standards.ieee.org/regauth/oui/oui.txt)

o Updated nmap-protocols with the latest IEEE internet protocols
  assignments (http://www.iana.org/assignments/protocol-numbers).

o Updated the Nmap version number and related fields that MS Visual
  Studio places in the binary.  This was done by editing
  mswin32/nmap.rc.

Nmap 3.999 [1/26/06]

o Added runtime interaction support to Windows, thanks to patches from
  Andrew Lutomirski (luto(a)myrealbox.com) and Gisle Vanem (giva(a)bgnett.no).

o Changed a couple lines of tcpip.cc (put certain IP header fields in
  host byte order rather than NBO) to (hopefully) support Mac OS X on
  Intel.  Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) for the
  patch.

o Upgraded the included LibPCRE from version 6.3 to 6.4.  There was a
  report of version detection crashes on the new Intel-based MACs with
  6.3.

o Fixed an issue in which the installer would malfunction in rare
  issues when installing to a directory with spaces in it.  Thanks to
  Thierry Zoller (Thierry(a)Zoller.lu) for the report.

Nmap 3.99 [1/25/06]

o Integrated all remaining 2005 service submissions.  The DB now has
  surpassed 3,000 signatures for the first time.  There now are 3,153
  signatures for 381 service protocols.  Those protocols span the
  gamut from abc, acap, afp, and afs to zebedee, zebra, and
  zenimaging.  It even covers obscure protocols such as http, ftp,
  smtp, and ssh :).  Thanks to Version Detection Czar Doug Hoyte for
  his excellent work on this.

o Created a Windows executable installer using the open source NSIS
  (Nullsoft Scriptable Install System).  It handles Pcap installation,
  registry performance changes, and adding Nmap to your cmd.exe
  executable path.  The installer source files are in mswin32/nsis/ .
  Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for
  creating the initial version.

o Fixed a backward compatibility bug in which Nmap didn't recognize
  the --min_rtt_timeout option (it only recognized the newly
  hyphenated --min-rtt-timeout).  Thanks to Joshua D. Abraham
  (jabra(a)ccs.neu.edu) for the bug report.

o Fixed compilation to again work with gcc-derivatives such as
  MingW. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending the
  patches

Nmap 3.98BETA1 [1/22/06]

o Added run time interaction as documented at
  http://nmap.org/man/man-runtime-interaction.html .
  While Nmap is running, you can now press 'v' to increase verbosity,
  'd' to increase the debugging level, 'p' to enable packet tracing,
  or the capital versions (V,D,P) to do the opposite.  Any other key
  (such as enter) will print out a status message giving the estimated
  time until scan completion.  This only works on UNIX for now.  Do we
  have any volunteers to add Windows support?  You would need to
  change a handful of UNIX-specific termio calls with the Windows
  equivalents.  This feature was created by Paul Tarjan
  (ptarjan(a)stanford.edu) as part of the Google Summer of Code.

o Reverse DNS resolution is now done in parallel rather than one at a
  time.  All scans of large networks (particularly list, ping and
  just-a-few-ports scans) should benefit substantially from this
  change.  If you encounter any problems, please let us know.  The new
  --system_dns option was added so you can use the (slow) system
  resolver if you prefer that for some reason.  You can specify a
  comma separated list of DNS server IP addresses for Nmap to use with
  the new --dns_servers option.  Otherwise, Nmap looks in
  /etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
  the nameservers already configured for your system.  This excellent
  patch was written by Doug Hoyte (doug(a)hcsw.org).

o Added the --badsum option, which causes Nmap to use invalid TCP or
  UDP checksums for packets sent to target hosts. Since virtually all
  host IP stacks properly drop these packets, any responses received
  are likely coming from a firewall or IDS that didn't bother to
  verify the checksum. For more details on this technique, see
  http://www.phrack.org/phrack/60/p60-0x0c.txt .  The author of that
  paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch
  (which I changed it a bit).

o The 26 Nmap commands that previously included an underscore
  (--max_rtt_timeout, --send_eth, --host_timeout, etc.) have been
  renamed to use a hyphen in the preferred format
  (i.e. --max-rtt-timeout).  Underscores are still supported for
  backward compatibility.

o More excellent NmapFE patches from Priit Laes (amd(a)store20.com)
  were applied to remove all deprecated GTK API calls.  This also
  eliminates the annoying Gtk-Critical and Gtk-WARNING runtime messages.

o Changed the way the __attribute__ compiler extension is detected so
  that it works with the latest Fedora Core 4 updates (and perhaps other
  systems).  Thanks to Duilio Protti (dprotti(a)fceia.unr.edu.ar) for
  writing the patch.  The compilation error message this fixes was
  usually something like: "nmap.o(.rodata+0x17c): undefined reference
  to `__gthrw_pthread_cancel(unsigned long)"

o Added some exception handling code to mswin32/winfix.cc to prevent
  Nmap from crashing mysteriously when you have WinPcap 3.0 or earlier
  (instead of the required 3.1).  It now prints an error message instead
  asking you to upgrade, then reduces functionality to connect()-only
  mode.  I couldn't get it working with the C++ standard try/catch()
  blocks, but as soon as I used the nonstandard MS conventions
  (__try/__except(), everything worked fine. Shrug.

o Stripped the firewall API out of the libdnet included with Nmap
  because Nmap doesn't use it anyway.  This saves space and reduces the
  likelihood of compilation errors and warnings.

o Modified the previously useless --noninteractive option so that it
  deactivates runtime interaction.

Nmap 3.96BETA1 [12/29/05]

o Added --max_retries option for capping the maximum number of
  retransmissions the port scan engine will do. The value may be as low
  as 0 (no retransmits).  A low value can increase speed, though at the
  risk of losing accuracy.  The -T4 option now allows up to 6 retries,
  and -T5 allows 2.  Thanks to Martin Macok
  (martin.macok(a)underground.cz) for writing the initial patch, which I
  changed quite a bit.  I also updated the docs to reflect this neat
  new option.

o Many of the Nmap low-level timing options take a value in
  milliseconds.  You can now append an 's', 'm', or 'h' to the value
  to give it in seconds, minutes, or hours instead.  So you can specify a
  45 minute host timeout with --host_timeout 45m rather than specifying
  --host_timeout 2700000 and hoping you did the math right and have the 
  correct number of zeros.  This also now works for the
  --min_rtt_timeout, --max_rtt_timeout, --initial_rtt_timeout,
  --scan_delay, and --max_scan_delay options.

o Improved the NmapFE port to GTK2 so it better-conforms to the new
  API and you don't get as many annoying messages in your terminal
  window.  GTK2 is prettier and more functional too.  Thanks to Priit
  Laes (amd(a)store20.com) for writing these
  excellent patches.

o Fixed a problem which led to the error message "Failed to determine
  dst MAC address for target" when you try to run Nmap using a
  dialup/PPP adapter on Windows rather than a real ethernet card.  Due
  to Microsoft breaking raw sockets, Nmap no longer supports dialup
  adapters, but it should now give you a clearer error message than
  the "dst MAC address" nonsense.

o Debian GNU/kFreeBSD is now supported thanks to a patch to libdnet's
  configure.in by Petr Salinger (Petr.Salinger(a)t-systems.cz).

o Tried to update to the latest autoconf only to find that there
  hasn't been a new version in more than two years :(.  I was able to
  find new config.sub and config.guess files at
  http://cvs.savannah.gnu.org/viewcvs/config/config/ , so I updated to
  those.

o Fixed a problem with the -e option when run on Windows (or UNIX with
  --send_eth) when run on an ethernet network against an external
  (routed) host.  You would get the message "NmapArpCache() can only
  take IPv4 addresses.  Sorry".  Thanks to KX (kxmail(a)gmail.com) for
  helping to track down the problem.

o Made some changes to allow source port zero scans (-g0).  Nmap used
  to refuse to do this, but now it just gives a warning that it may not
  work on all systems.  It seems to work fine on my Linux box.  Thanks
  to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.

o Made a change to libdnet so that Windows interfaces are listed as
  down if they are disconnected, unplugged, or otherwise unavailable.

o Ceased including foreign translations in the Nmap tarball as they
  take up too much space.  HTML versions can be found at
  http://nmap.org/docs.html , while XML and NROFF versions
  are available from http://nmap.org/data/man-xlate/ .

o Changed INSTALL and README-WIN32 files to mostly just reference the
  new Nmap Install Guide at http://nmap.org/install/ .

o Included docs/nmap-man.xml in the tarball distribution, which is the
  DocBook XML source for the Nmap man page.  Patches to Nmap that are
  user-visible should include patches to the man page XML source rather
  than to the generated Nroff.

o Fixed Nmap so it doesn't crash when you ask it to resume a previous
  scan, but pass in a bogus file rather than actual Nmap output.  Thanks
  to Piotr Sobolewski (piotr_sobolewski(a)o2.pl) for the fix.

Nmap 3.95 [12/8/05]

o Fixed a crash in IPID Idle scan.  Thanks to Ron
  (iago(a)valhallalegends.com>, Bakeman (bakeman(a)physics.unr.edu),
  and others for reporting the problem.

o Fixed an inefficiency in RPC scan that could slow things down and
  also sometimes resulted in the spurious warning message: "Unable to
  find listening socket in get_rpc_results"

o Fixed a 3.94ALPHA3 bug that caused UDP scan results to be listed as
  TCP ports instead.  Thanks to Justin M Cacak (jcacak(a)nebraska.edu)
  for reporting the problem.

Nmap 3.94ALPHA3 [12/6/05]

o Updated NmapFE to build with GTK2 rather than obsolete GTK1.  Thanks
  to Mike Basinger (dbasinge(a)speakeasy.net) and Meethune Bhowmick
  (meethune(a)oss-institute.org) for developing the
  patch.  I made some changes as well to prevent compilation warnings.
  The new NmapFE now seems to work, though I do get "Gtk-CRITICAL"
  assertion error messages.  If someone has time to look into this, that
  would be appreciated.

o Fixed a compilation problem on Mac OS X and perhaps other platforms
  with a one-line fix to scan_engine.cc.  Thanks to Felix Gröbert
  (felix(a)groebert.org) for notifying me of the problem.

o Fixed a problem that prevented the command "nmap -sT -PT [targets]"
  from working from a non-privileged user account.  The -PT option
  doesn't change default behavior in this case, but Nmap should (and now
  does) allow it.

o Applied another VS 2005 compatibility patch from KX (kxmail(a)gmail.com).

o Define INET_ADDRSTRLEN in tcpip.h if the system doesn't define it
  for us.  This apparently aids compilation on Solaris 2.6 and 7.
  Thanks to Albert Chin (nmap-hackers(a)mlists.thewrittenword.com) for
  sending the patch..

Nmap 3.94ALPHA2 [12/4/05]

o Put Nmap on a diet, with changes to the core port scanning routine
  (ultra_scan) to substantially reduce memory consumption, particularly
  when tens of thousands of ports are scanned.

o Fixed a problem with the -S and option on Windows reporting "Failed
  to resolve/decode supposed IPv4 source address".  The -D (decoy)
  option was probably broken on that platform too.  Thanks to KX
  (kxmail(a)gmail.com) for reporting the problem and tracking down a
  potential solution.

o Better handle ICMP type 3, code 0 (network unreachable) responses to
  port scan packets.  These are rarely seen when scanning hosts that
  are actually online, but are still worth handling.

o Applied some small fixes so that Nmap compiles with Visual C++
  2005 Express, which is free from Microsoft at
  http://msdn.microsoft.com/vstudio/express/visualc/ .  Thanks to KX
  (kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)

o Removed foreign translations of the old man page from the
  distribution.  Included the following contributed translations
  (nroff format) of the new man page:
    Brazilian Portuguese by Lucien Raven (lucienraven(a)yahoo.com.br)
    Portuguese (Portugal) by José Domingos (jd_pt(a)yahoo.com) and 
                             Andreia Gaita (shana.ufie(a)gmail.com).

o Added --thc option (undocumented)

o Modified libdnet-stripped/src/eth-bsd.c to allow for up to 128 bpf
  devices rather than 32.  This prevents errors like "Failed to open
  ethernet interface (fxp0)" when there are more than 32 interface
  aliases.  Thanks to Krok (krok(a)void.ru) for reporting the problem
  and even sending a patch.

Nmap 3.94ALPHA1 [11/27/05]

o Wrote a new man page from scratch.  It is much more comprehensive
  (more than twice as long) and (IMHO) better organized than the
  previous one.  Read it online at http://nmap.org/man/
  or docs/nmap.1 from the Nmap distribution.  Let me know if you have
  any ideas for improving it.

o Wrote a new "help screen", which you get when running Nmap without
  arguments.  It is also reproduced in the man page and at
  http://nmap.org/data/nmap.usage.txt .  I gave up trying
  to fit it within a 25-line, 80-column terminal window.  It is now 78
  lines and summarizes all but the most obscure Nmap options.

o Version detection softmatches (when Nmap determines the service
  protocol such as smtp but isn't able to determine the app name such as
  Postfix) can now parse out the normal match line fields such as
  hostname, device type, and extra info.  For example, we may not know
  what vendor created an sshd, but we can still parse out the protocol
  number.  This was a patch from  Doug Hoyte (doug(a)hcsw.org).

o Fixed a problem which caused UDP version scanning to fail to print
  the matched service.  Thanks to Martin Macok
  (martin.macok(a)underground.cz) for reporting the problem and Doug
  Hoyte (doug(a)hcsw.org) for fixing it.

o Made the version detection "ports" directive (in
  nmap-service-probes) more comprehensive.  This should speed up scans a
  bit.  The patch was done by Doug Hoyte (doug(a)hcsw.org).

o Added the --webxml option, which does the same thing as 
  --stylesheet http://nmap.org/data/nmap.xsl , without
  requiring you to remember the exact URL or type that whole thing.

o Fixed a crash occurred when the --exclude option was used with
  netmasks on certain platforms.  Thanks to Adam
  (nmapuser(a)globalmegahost.com) for reporting the problem and to
  Greg Darke (starstuff(a)optusnet.com.au) for sending a patch (I
  modified the patch a bit to make it more efficient).

o Fixed a problem with the -S and -e options (spoof/set
  source address, and set interface by name, respectively).  The problem
  report and a partial patch were sent by Richard Birkett
  (richard(a)musicbox.net).

o Fixed a possible aliasing problem in tcpip.cc by applying a patch sent in by
  Gwenole Beauchesne (gbeauchesne(a)mandriva.com).  This problem
  shouldn't have had any effect on users since we already include the
  -fno-strict-aliasing option whenever gcc 4 is detected, but it
  brings us closer to being able to remove that option.

o Fixed a bug that caused Nmap to crash if an nmap-service-probes file
  was used which didn't contain the Exclude directive.

o Fixed a bunch of typos and misspellings throughout the Nmap source
  code (mostly in comments).  This was a 625-line patch by Saint Xavier
  (skyxav(a)skynet.be).

o Nmap now accepts target list files in Windows end-of-line format (\r\n)
  as well as standard UNIX format (\n) on all platforms.  Passing a
  Windows style file to Nmap on UNIX didn't work before unless you ran
  dos2unix first.

o Removed Identd scan support from NmapFE since Nmap no longer
  supports it.  Thanks to Jonathan Dieter (jdieter99(a)gmx.net) for the
  patch.

o Integrated all of the September version detection fingerprint
  submissions.  This was done by Version Detection Czar Doug Hoyte
  (doug(a)hcsw.org) and resulted in 86 new match lines.  Please keep
  those submissions coming!

o Fixed a divide-by-zero crash when you specify rather bogus
  command-line arguments (a TCP scan with zero tcp ports).  Thanks to
  Bart Dopheide (dopheide(a)fmf.nl) for identifying the problem and
  sending a patch.

o Fixed a minor syntax error in tcpip.h that was causing problems with
  GCC 4.1.  Thanks to Dirk Mueller (dmuell(a)gmx.net) for reporting
  the problem and sending a fix.

Nmap 3.93 [9/12/05]

o Modified Libpcap's configure.ac to compile with the
  -fno-strict-aliasing option if gcc 4.X is used.  This prevents
  crashes when said compiler is used.  This was done for Nmap in 3.90, but is
  apparently needed for pcap too.  Thanks to Craig Humphrey
  (Craig.Humphrey(a)chapmantripp.com) for the discovery.

o Patched libdnet to include sys/uio.h in src/tun-linux.c.  This is
  apparently necessary on some Glibc 2.1 systems.  Thanks to Rob Foehl
  (rwf(a)loonybin.net) for the patch.

o Fixed a crash which could occur when a ridiculously short
  --host_timeout was specified on Windows (or on UNIX if --send_eth was
  specified).  Nmap now also prints a warning if you specify a
  host_timeout of less than 1 second.  Thanks to Ole Morten Grodaas
  (grodaas(a)gmail.com) for discovering the problem.

Nmap 3.91 [9/11/05]

o Fixed a crash on Windows when you -P0 scan an unused IP on a local
  network (or a range that contains unused IPs).  This could also
  happen on UNIX if you specified the new --send_eth option.  Thanks
  to Jim Carras (JFCECL(a)engr.psu.edu) for reporting the problem.

o Fixed compilation on OpenBSD by applying a patch from Okan Demirmen
  (okan(a)demirmen.com), who maintains Nmap in the OpenBSD Ports
  collection.

o Updated nmap-mac-prefixes to include OUIs assigned by the IEEE since
  April.

o Updated the included libpcre (used for version detection) from
  version 4.3 to 6.3.  A libpcre security issue was fixed in 6.3, but
  that issue never affected Nmap.

o Updated the included libpcap from 0.8.3 to 0.9.3.  I also changed
  the directory name in the Nmap tarball from libpcap-possiblymodified
  to just libpcap.  As usual, the modifications are described in the
  NMAP_MODIFICATIONS in that directory.

Nmap 3.90 [9/8/05]

o Added the ability for Nmap to send and properly route raw ethernet
  packets containing IP datagrams rather than always sending the
  packets via raw sockets. This is particularly useful for Windows,
  since Microsoft has disabled raw socket support in XP for no good
  reason.  Nmap tries to choose the best method at runtime based on
  platform, though you can override it with the new --send_eth and
  --send_ip options.

o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
  determine whether hosts on a LAN are up, rather than relying on
  higher-level IP packets (which can only be sent after a successful
  ARP request and reply anyway).  This is much faster and more
  reliable (not subject to IP-level firewalling) than IP-based probes.
  The downside is that it only works when the target machine is on the
  same LAN as the scanning machine.  It is now used automatically for
  any hosts that are detected to be on a local ethernet network,
  unless --send_ip was specified.  Example usage: nmap -sP -PR
  192.168.0.0/16 .

o Added the --spoof_mac option, which asks Nmap to use the given MAC
  address for all of the raw ethernet frames it sends.  The MAC given
  can take several formats.  If it is simply the string "0", Nmap
  chooses a completely random MAC for the session.  If the given
  string is an even number of hex digits (with the pairs optionally
  separated by a colon), Nmap will use those as the MAC.  If less than
  12 hex digits are provided, Nmap fills in the remainder of the 6
  bytes with random values.  If the argument isn't a 0 or hex string,
  Nmap looks through the nmap-mac-prefixes to find a vendor name
  containing the given string (it is case insensitive).  If a match is
  found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
  remaining 3 bytes randomly.  Valid --spoof_mac argument examples are
  "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
  "Cisco".

o Applied an enormous nmap-service-probes (version detection) update
  from SoC student Doug Hoyte (doug(a)hcsw.org).  Version 3.81 had
  1064 match lines covering 195 service protocols.  Now we have 2865
  match lines covering 359 protocols!  So the database size has nearly
  tripled!  This should make your -sV scans quicker and more
  accurate.  Thanks also go to the (literally) thousands of you who
  submitted service fingerprints.  Keep them coming!

o Applied a massive OS fingerprint update from Zhao Lei
  (zhaolei(a)gmail.com).  About 350 fingerprints were added, and many
  more were updated.  Notable additions include Mac OS X 10.4 (Tiger),
  OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
  with a new "robotic pet" device type category), the latest Linux 2.6
  kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
  UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
  3.8.X, and Solaris 10.  Of course there are also tons of new
  broadband routers, printers, WAPs and pretty much any other device
  you can coax an ethernet cable (or wireless card) into!

o Added 'leet ASCII art to the configurator!  ARTIST NOTE: If you think
  the ASCII art sucks, feel free to send me alternatives.  Note that
  only people compiling the UNIX source code get this. (ASCII artist
  unknown).

o Added OS, device type, and hostname detection using the service
  detection framework.  Many services print a hostname, which may be
  different than DNS.  The services often give more away as well.  If
  Nmap detects IIS, it reports an OS family of "Windows".  If it sees
  HP JetDirect telnetd, it reports a device type of "printer".  Rather
  than try to combine TCP/IP stack fingerprinting and service OS
  fingerprinting, they are both printed.  After all, they could
  legitimately be different.  An IP that gives a stack fingerprint
  match of "Linksys WRT54G broadband router" and a service fingerprint
  of Windows based on Kazaa running is likely a common NAT setup rather
  than an Nmap mistake.

o Nmap on Windows now compiles/links with the new WinPcap 3.1
  header/lib files. So please upgrade to 3.1 from
  http://www.winpcap.org before installing this version of Nmap.
  While older versions may still work, they aren't supported with Nmap.

o The official Nmap RPM files are now compiled statically for better
  compatibility with other systems.  X86_64 (AMD Athlon64/Opteron)
  binaries are now available in addition to the standard i386.  NmapFE
  RPMs are no longer distributed by Insecure.Org.

o Nmap distribution signing has changed. Release files are now signed
  with a new Nmap Project GPG key (KeyID 6B9355D0).  Fyodor has also
  generated a new key for himself (KeyID 33599B5F).  The Nmap key has
  been signed by Fyodor's new key, which has been signed by Fyodor's
  old key so that you know they are legit.  The new keys are available
  at http://nmap.org/data/nmap_gpgkeys.txt , as
  docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
  keyserver network.  Here are the fingerprints:
    pub  1024D/33599B5F 2005-04-24
         Key fingerprint = BB61 D057 C0D7 DCEF E730  996C 1AF6 EC50 3359 9B5F
    uid  Fyodor 
    sub  2048g/D3C2241C 2005-04-24

    pub  1024D/6B9355D0 2005-04-24
         Key fingerprint = 436D 66AB 9A79 8425 FDA0  E3F8 01AF 9F03 6B93 55D0
    uid  Nmap Project Signing Key (http://www.insecure.org/)
    sub  2048g/A50A6A94 2005-04-24

o Fixed a crash problem related to non-portable varargs (vsnprintf)
  usage. Reports of this crash came from Alan William Somers
  (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
  This patch was prevalent on Linux boxes running an Opteron/Athlon64
  CPU in 64-bit mode.

o Fixed crash when Nmap is compiled using gcc 4.X by adding the
  -fno-strict-aliasing option when that compiler is detected.  Thanks
  to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
  this option fixes (hides) the problem and to Duilio J. Protti
  (dprotti(a)flowgate.net) for writing the configure patch to detect
  gcc 4 and add the option.  A better fix is to identify and rewrite
  lines that violate C99 alias rules, and we are looking into that.

o Added "rarity" feature to Nmap version detection.  This causes
  obscure probes to be skipped when they are unlikely to help.  Each
  probe now has a "rarity" value.  Probes that detect dozens of
  services such as GenericLines and GetRequest have rarity values of
  1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
  When interrogating a port, Nmap always tries probes registered to
  that port number.  So even WWWOFFLEctrlstat will be tried against
  port 8081 and mydoom will be tried against open ports between 3127
  and 3198.  If none of the registered ports find a match, Nmap tries
  probes that have a rarity less than or equal to its current
  intensity level.  The intensity level defaults to 7 (so that most of
  the probes are done).  You can set the intensity level with the new
  --version_intensity option.  Alternatively, you can just use
  --version_light or --version_all which set the intensity to 2 (only
  try the most important probes and ones registered to the port
  number) and 9 (try all probes), respectively.  --version_light is
  much faster than default version detection, but also a bit less
  likely to find a match.  This feature was designed and implemented
  by Doug Hoyte (doug(a)hcsw.org).

o Added a "fallback" feature to the nmap-service-probes database.
  This allows a probe to "inherit" match lines from other probes.  It
  is currently only used for the HTTPOptions, RTSPRequest, and
  SSLSessionReq probes to inherit all of the match lines from
  GetRequest.  Some servers don't respond to the Nmap GetRequest (for
  example because it doesn't include a Host: line) but they do respond
  to some of those other 3 probes in ways that GetRequest match lines
  are general enough to match.  The fallback construct allows us to
  benefit from these matches without repeating hundreds of signatures
  in the file.  This is another feature designed and implemented
  by Doug Hoyte (doug(a)hcsw.org).

o Fixed crash with certain --excludefile or
  --exclude arguments.  Thanks to Kurt Grutzmacher
  (grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for
  reporting the problem, and to Duilio J. Protti
  (dprotti(a)flowgate.net) for debugging the issue and sending the
  patch.

o Updated random scan (ip_is_reserved()) to reflect the latest IANA
  assignments.  This patch was sent in by Felix Groebert
  (felix(a)groebert.org).

o Included new Russian man page translation by
  locco_bozi(a)Safe-mail.net

o Applied patch from Steve Martin (smartin(a)stillsecure.com) which
  standardizes many OS names and corrects typos in nmap-os-fingerprints.

o Fixed a crash found during certain UDP version scans.  The crash was
  discovered and reported by Ron (iago(a)valhallalegends.com) and fixed
  by Doug Hoyte (doug(a)hcsw.com).

o Added --iflist argument which prints a list of system interfaces and
  routes detected by Nmap.

o Fixed a protocol scan (-sO) problem which led to the error message:
  "Error compiling our pcap filter: syntax error".  Thanks to Michel
  Arboi (michel(a)arboi.fr.eu.org) for reporting the problem.

o Fixed an Nmap version detection crash on Windows which led to the
  error message "Unexpected error in NSE_TYPE_READ callback.  Error
  code: 10053 (Unknown error)".  Thanks to Srivatsan
  (srivatsanp(a)adventnet.com) for reporting the problem.

o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers
  (TSellers(a)trustmark.com).

o Applied some changes from  Gisle Vanem (giva(a)bgnett.no) to make
  Nmap compile with Cygwin.

o XML "osmatch" element now has a "line" attribute giving the
  reference fingerprint line number in nmap-os-fingerprints.

o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
  (mueller(a)kde.org) to nmap-service-probes.  Also added AFS version
  probe and matches from Lionel Cons (lionel.cons(a)cern.ch).  And
  even more probes and matches from Martin Macok
  (martin.macok(a)underground.cz)

o Fixed a problem where Nmap compilation would use header files from
  the libpcap included with Nmap even when it was linking to a system
  libpcap.  Thanks to Solar Designer (solar(a)openwall.com) and Okan
  Demirmen (okan(a)demirmen.com) for reporting the problem.

o Added configure option --with-libpcap=included to tell Nmap to use
  the version of libpcap it ships with rather than any that may already be
  installed on the system.  You can still use --with-libpcap=[dir] to
  specify that a system libpcap be installed rather than the shipped
  one.  By default, Nmap looks at both and decides which one is likely
  to work best.  If you are having problems on Solaris, try
  --with-libpcap=included .

o Changed the --no-stylesheet option to --no_stylesheet to be
  consistent with all of the other Nmap options.  Though I'm starting to
  like hyphens a bit better than underscores and may change all of the
  options to use hyphens instead at some point.

o Added "Exclude" directive to nmap-service-probes grammar which
  causes version detection to skip listed ports.  This is helpful for
  ports such as 9100.  Some printers simply print any data sent to
  that port, leading to pages of HTTP requests