Fwd: nmap-os-db question

[<ludeksubrt () email cz>]

"
Hello nmap gurus,




I am a fan of nmap and especially OS detection. But one thing is still
unclear. In the nmap-os-db the value T= is usually range. For example T1(R=
Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) where T is in range 3B(59)-45
(69) which is exactly 5 away form expected value 0x40(64). When I am
performing some test scans in lab environment (all in the same LAN) the scan
output looks like T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=) and there the T
equals the expected OS value 64.


I would theoretically understand if in the db is 3B-40, but why 45? I have
tried some calculation and play with endianity, but I wasn't able to figure
out  or even create a hypothesis when the initial TTL for the OS could be 0x
45 or in range between 0x40-0x45.


Can you help me to understand this last piece of nmap os fingerprinting for
which I have trouble sleeping :-)




Thank you very much




Ludek

"

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/