Nmap output behavior question

["Thomas Tavaris J (Tavaris)" <tjthomas () LGSInnovations com>]

Hi devs,

I realize that I am not running the most recent version of Nmap (using
4.76) but while running various scans I noticed strange results being
reported when generating the fingerprint of the remote host.
In particular the SEQ, IE test, and U1 are reporting multiple results
from the generated fingerprint., (i.e. one IE(R=Y....) and a IE(R=N) for
the same host?!?!?!?! multiple SEQ and U1 lines (see below), etc
Could anyone explain this? 

(nmap command used for scanning at the very bottom of this message)

-Tavaris

Here are some examples of generated fingerprints I am seeing:
(*) = Dupes
#EX 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(*) SEQ(SP=102%GCD=1%ISR=10A%TI=Z%II=RI%TS=U)
(*) SEQ(SP=102%GCD=1%ISR=108%TI=Z%II=RI%TS=U)
(*) SEQ(SP=FF%GCD=1%ISR=10C%TI=Z%II=RI%TS=U)
(*) SEQ(SP=FD%GCD=1%ISR=10F%TI=Z%II=RI%TS=U)
(*) SEQ(SP=101%GCD=1%ISR=108%TI=Z%II=RI%TS=U)
OPS(O1=M5B4W0NSLL%O2=M578W0NSLL%O3=M280W0L%O4=M1F4W0NSLL%O5=M218W0NSLL%O
6=M109SLL)
WIN(W1=4000%W2=4000%W3=4000%W4=4000%W5=4000%W6=4000)
ECN(R=Y%DF=Y%T=FF%W=4000%O=M5B4W0NSLL%CC=N%Q=)
T1(R=Y%DF=Y%T=FF%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=N%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
(*)
U1(R=Y%DF=N%T=FF%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD
=G)
(*) U1(R=N)
IE(R=Y%DFI=S%T=FF%TOSI=S%CD=S%SI=S%DLI=S)

#EX 2
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEQ(SP=102%GCD=1%ISR=10F%TI=RD%II=RI%TS=U)
SEQ(SP=104%GCD=1%ISR=10C%TI=RD%TS=U)
OPS(O1=M5B4%O2=M578%O3=M280%O4=M218%O5=M218%O6=M109)
WIN(W1=1020%W2=1020%W3=1020%W4=1020%W5=1020%W6=1020)
ECN(R=Y%DF=Y%T=101%W=1020%O=M5B4%CC=N%Q=)
ECN(R=N)
T1(R=Y%DF=Y%T=101%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=101%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=101%W=1020%S=O%A=S+%F=AS%O=M5B4%RD=0%Q=)
T3(R=N)
T4(R=Y%DF=N%T=101%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T4(R=N)
T5(R=Y%DF=N%T=101%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=)
T5(R=N)
T6(R=Y%DF=N%T=101%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T6(R=N)
T7(R=Y%DF=N%T=101%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)
T7(R=N)
(*)
U1(R=Y%DF=N%T=101%TOS=C0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%R
UD=G)
(*) U1(R=N)
(*) IE(R=Y%DFI=S%T=101%TOSI=S%CD=S%SI=S%DLI=S)
(*) IE(R=N)


#EX 3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
T5(R=Y%DF=N%T=100%W=0%S=A%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=100%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=100%TOS=C0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%R
UD=G)
(*) IE(R=Y%DFI=N%T=100%TOSI=S%CD=S%SI=S%DLI=S)
(*) IE(R=Y%DFI=N%T=FF%TOSI=S%CD=S%SI=S%DLI=S)


Here is the command I used:
<!-- Nmap 4.76 scan initiated Fri May 8 09:48:17 2009 as: nmap -F -d -n
-vvv -oA master-nmap-list -O -&#45;osscan-guess -->
<nmaprun scanner="nmap" args="nmap -F -d -n -vvv -oA master-nmap-list -O
-&#45;osscan-guess start="1241790497" startstr="Fri May 8 09:48:17 2009"
version="4.76" xmloutputversion="1.02">


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org