From the NMAP mailing list...

Hello everyone,

I am pleased to announce the release of Nmap 3.9999. From the version number, you can probably guess that we are getting very close to the big 4.0 release. But this version has many changes, so I wanted to give you a chance to fully test it out before releasing 4.0. Please let me know if you find any problems in the next few days.

Now back to the changes -- I think you'll like these. One new feature is runtime integration, which allows you to press [enter] at any time for a status report with an estimated completion time for the current scan. Another is asynchronous DNS, which speeds up large network scans as Nmap doesn't have to resolve each IP serially using the
(slow) host resolver anymore. Windows users may appreciate that there is now an executable installer -- nmap-3.9999-setup.exe, which takes care of things like WinPcap and the registry performance improvements for you. The traditional Windows .zip file format is still available as well. The version detection database has been updated with all remaining 2005 service submissions. It now contains 3,153 signatures for 381 service protocols. Please keep those submissions coming in '06! Nmap has some new options, such as --max-retries and --badsum. And there is more in the CHANGELOG below.

As usual, you can find the goods at:

Enjoy, and let me know (see ) if you find any problems. Here are the changes since 3.95:

o Added run time interaction as documented at .
While Nmap is running, you can now press 'v' to increase verbosity,
'd' to increase the debugging level, 'p' to enable packet tracing,
or the capital versions (V,D,P) to do the opposite. Any other key
(such as enter) will print out a status message giving the estimated
time until scan completion. Most of this work was done by Paul
Tarjan (ptarjan(a), Andrew Lutomirski
(luto(a), and Gisle Vanem (giva(a)

o Reverse DNS resolution is now done in parallel rather than one at a
time. All scans of large networks (particularly list, ping and
just-a-few-ports scans) should benefit substantially from this
change. If you encounter any problems, please let us know. The new
--system_dns option was added so you can use the (slow) system
resolver if you prefer that for some reason. You can specify a
comma separated list of DNS server IP addresses for Nmap to use with
the new --dns_servers option. Otherwise, Nmap looks in
/etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
the nameservers already configured for your system. This excellent
patch was written by Doug Hoyte (doug(a)

o Created a Windows executable installer using the open source NSIS
(Nullsoft Scriptable Install System). It handles Pcap installation,
registry performance changes, and adding Nmap to your cmd.exe
executable path. The installer source files are in mswin32/nsis/ .
Thanks to Google SoC student Bo Jiang (jiangbo(a) for
creating the initial version.

o Integrated all remaining 2005 service submissions. The DB now has
surpassed 3,000 signatures for the first time. There now are 3,153
signatures for 381 service protocols. Those protocols span the
gamut from abc, acap, afp, and afs to zebedee, zebra, and
zenimaging. It even covers obscure protocols such as http, ftp,
smtp, and ssh . Thanks to Version Detection Czar Doug Hoyte for
his excellent work on this.

o Added --max-retries option for capping the maximum number of
retransmissions the port scan engine will do. The value may be as low
as 0 (no retransmits). A low value can increase speed, though at the
risk of losing accuracy. The -T4 option now allows up to 6 retries,
and -T5 allows 2. Thanks to Martin Macok
(martin.macok(a) for writing the initial patch, which I
changed quite a bit. I also updated the docs to reflect this neat
new option.

o Added the --badsum option, which causes Nmap to use invalid TCP or
UDP checksums for packets sent to target hosts. Since virtually all
host IP stacks properly drop these packets, any responses received
are likely coming from a firewall or IDS that didn't bother to
verify the checksum. For more details on this technique, see . The author of that
paper, Ed3f (ed3f(a), is also the author of this patch
(which I changed it a bit).

o Many of the Nmap low-level timing options take a value in
milliseconds. You can now append an 's', 'm', or 'h' to the value
to give it in seconds, minutes, or hours instead. So you can specify a
45 minute host timeout with --host_timeout 45m rather than specifying
--host_timeout 2700000 and hoping you did the math right and have the
correct number of zeros. This also now works for the
--min_rtt_timeout, --max_rtt_timeout, --initial_rtt_timeout,
--scan_delay, and --max_scan_delay options.

o Fixed a problem which led to the error message "Failed to determine
dst MAC address for target" when you try to run Nmap using a
dialup/PPP adapter on Windows rather than a real ethernet card. Due
to Microsoft breaking raw sockets, No longer supports dialup adapters, but
it should now give you a clearer error message than the "dst MAC
address" nonsense.

o The 26 Nmap commands that previously included an underscore
(--max_rtt_timeout, --send_eth, --host_timeout, etc.) have been
renamed to use a hyphen in the preferred format
(i.e. --max-rtt-timeout). Underscores are still supported for
backward compatibility.

o Improved the NmapFE port to GTK2 so it better-conforms to the new
API and you don't get annoying GTK-WARNING and GTK-CRITICAL messages
in your terminal window. GTK2 is prettier and more functional too.
Thanks to Priit Laes (amd(a) for writing these excellent

o Changed the way the __attribute__ compiler extension is detected so
that it works with the latest Fedora Core 4 updates (and perhaps other
systems). Thanks to Duilio Protti (dprotti(a) for
writing the patch. The compilation error message this fixes was
usually something like: "nmap.o(.rodata+0x17c): undefined reference
to `__gthrw_pthread_cancel(unsigned long)"

o Added some exception handling code to mswin32/ to prevent
Nmap from crashing mysteriously when you have WinPcap 3.0 or earlier
(instead of the required 3.1). It now prints an error message instead
asking you to upgrade, then reduces functionality to connect()-only
mode. I couldn't get it working with the C++ standard try/catch()
blocks, but as soon as I used the nonstandard MS conventions
(__try/__except(), everything worked fine. Shrug.

o Stripped the firewall API out of the libdnet included with Nmap
because Nmap doesn't use it anyway. This saves space and reduces the
likelihood of compilation errors and warnings.

o Modified the previously useless --noninteractive option so that it
deactivates runtime interaction.

o Debian GNU/kFreeBSD is now supported thanks to a patch to libdnet's by Petr Salinger (Petr.Salinger(a)

o Tried to update to the latest autoconf only to find that there
hasn't been a new version in more than two years . I was able to
find new config.sub and config.guess files at , so I updated to

o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE

o Updated nmap-protocols with the latest IEEE internet protocols
assignments (

o Updated the Nmap version number and related fields that MS Visual
Studio places in the binary. This was done by editing

o Fixed a problem with the -e option when run on Windows (or UNIX with
--send_eth) when run on an ethernet network against an external
(routed) host. You would get the message "NmapArpCache() can only
take IPv4 addresses. Sorry". Thanks to KX (kxmail(a) for
helping to track down the problem.

o Made some changes to allow source port zero scans (-g0). Nmap used
to refused to do this, but now it just gives a warning that it may not
work on all systems. It seems to work fine on my Linux box. Thanks
to Bill Dale (bill_dale(a) for suggesting this feature.

o Made a change to libdnet so that Windows interfaces are listed as
down if they are disconnected, unplugged, or otherwise unavailable.

o Ceased including foreign translations in the Nmap tarball as they
take up too much space. HTML versions can be found at , while XML and NROFF versions
are available from .

o Changed INSTALL and README-WIN32 files to mostly just reference the
new Nmap Install Guide at .

o Upgraded the included LibPCRE from version 6.3 to 6.4. There was a
report of version detection crashes on the new Intel-based MACs with

o Included docs/nmap-man.xml in the tarball distribution, which is the
DocBook XML source for the Nmap man page. Patches to Nmap that are
user-visible should include patches to the man page XML source rather
than to the generated Nroff.

o Fixed Nmap so it doesn't crash when you ask it to resume a previous
scan, but pass in a bogus file rather than actual Nmap output. Thanks
to Piotr Sobolewski (piotr_sobolewski(a) for the fix.

o Fixed compilation to again work with gcc-derivatives such as
MingW. Thanks to Gisle Vanem (giva(a) for sending the