With the implementation of Windows XP Service Pack 2 (SP2), Microsoft has removed the ability to create TCP frames through the raw sockets Application Programming Interface (API). UDP packets with spoofed IP addresses are also prevented with SP2. To work around these SP2 raw socket issues, nmap was modified to create raw Ethernet frames instead of raw TCP/IP frames. This fix allows most of the nmap options to work properly, although nmap’s raw socket functions can now only create frames on Ethernet networks.
Microsoft also implemented another TCP/IP stack change to Windows XP SP2 that limits the number of simultaneous outbound TCP connections. This has a chilling effect on nmap’s TCP connect() scan (-sT), since this scan normally creates many TCP connections. There is at least one non-Microsoft patch that removes this limitation, but the use of this patch is outside the scope of this tutorial. The nmap-hackers mailing list archive has more information on Microsoft’s changes and some of the workarounds: