I ran this test to see how often the closed-port TCP probes (T5, T6, & T7) are replied to.
nmap -iR 10000 -n --top-ports 25 -O -d -oN os-ci-2.nmap # Nmap done -- 10000 IP addresses (693 hosts up) scanned in 1815.26 seconds
The nmap-closed-ipid branch prints out information like
Closed-port TCP samples for xx.xx.xx.xx: T5 T6 --
meaning that the T5 and T6 probes got a response but T7 didn't. Here are how often each combination of replies appeared.
grep ^Closed os-ci-2.nmap | sort | uniq | sed -e 's/.*: //' | sort | uniq -c
| 72 | (41%) | T5 | T6 | T7 | (all three probes were replied to) |
| 56 | (32%) | – | – | – | (no probes were replied to) |
| 33 | (19%) | T5 | T6 | – | (T5 and T6 were replied to) |
| 11 | ( 6%) | T5 | – | – | (only T5 was replied to) |
| 2 | ( 1%) | T5 | – | T7 | (T5 and T7 were replied to) |
174 hosts are represented here. The difference between the 693 hosts up and the 174 with a Closed-port TCP samples line is because 519 hosts get enough sequencing responses to have a SEQ line.
I extracted all the SEQ lines with
../osprintsunwrap.pl os-ci-2.nmap | grep SEQ > seq grep ^SEQ os-ci-2.nmap >> seq grep -o -E 'TI=[^%)]*(%CI=[^%)]*)?' seq | sort | uniq -c | sort -r -g
| 51 | TI=I |
| 46 | TI=I%CI=I |
| 32 | TI=Z |
| 29 | TI=Z%CI=Z |
| 14 | TI=RD |
| 11 | TI=Z%CI=I |
| 5 | TI=RD%CI=RD |
| 4 | TI=RI |
| 4 | TI=I%CI=Z |
| 2 | TI=RD%CI=I |
| 2 | TI=I%CI=RD |
| 2 | TI=BI |
| 1 | TI=RD%CI=RI |
| 1 | TI=I%CI=RI |
| 1 | TI=BI%CI=BI |
| 205 | Total |
| 21 | where TI and CI differ. |
Entries in blue are where TI and CI differ. Of those, these are how often each was caused by different combinations of T5, T6, & T7 replies.
| T5 T6 T7 | T5 T6 – | ||
| 11 | TI=Z%CI=I | 11 | 0 |
| 4 | TI=I%CI=Z | 0 | 4 |
| 2 | TI=RD%CI=I | 2 | 0 |
| 2 | TI=I%CI=RD | 2 | 0 |
| 1 | TI=RD%CI=RI | 1 | 0 |
| 1 | TI=I%CI=RI | 1 | 0 |
In short, all the differences came when replies were received to all three probes, except in the case of TI=I CI=Z, where only T5 and T6 were replied to.