Re, tcplog is part of iplogger-1.2. from tcplog.c #ifdef DETECT_BOGUS /* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */ if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) { last_bogus = hdr.ip.ip_src.s_addr; syslog(LEVEL, "bogus tcp flags set by %s (%s)", hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)), inet_ntoa(hdr.ip.ip_src)); } #endif but this isn't enought. Ymas (0x80) bogus flag must be logged. try hping -Y to test if your port scanning detector have the same problem. poblem noticed with ntf <[EMAIL PROTECTED]>. Here is the patch (but i think it's better to rewrite) --- tcplog.c Mon Jul 19 05:32:58 1999 +++ tcplog-new.c Mon Jul 19 05:46:48 1999 @@ -59,6 +59,7 @@ #ifdef DETECT_BOGUS # define TH_BOGUS 0x40 +# define TH_OTHER_BOG 0x80 # define TH_BOG TH_BOGUS #endif @@ -133,7 +134,7 @@ #ifdef DETECT_BOGUS /* Nmap and Queso use a bogus tcp flag to "fingerprint" OS'es.. */ - if ((hdr.tcp.th_flags & TH_BOG) && last_bogus != hdr.ip.ip_src.s_addr) { + if ((((hdr.tcp.th_flags & TH_BOG) || (hdr.tcp.th_flags & +TH_OTHER_BOG))) && last_bogus != hdr.ip.ip_src.s_addr) { last_bogus = hdr.ip.ip_src.s_addr; syslog(LEVEL, "bogus tcp flags set by %s (%s)", hostlookup(hdr.ip.ip_src.s_addr, (syncount != SYN_FLOOD)), inet_ntoa(hdr.ip.ip_src)); } ciao, antirez -- Salvatore Sanfilippo - antirez - [EMAIL PROTECTED] try hping: http://www.kyuzz.org/antirez [EMAIL PROTECTED]