diff -ur --exclude *.o /home/sw/rh/BUILD/nmap-2.54BETA30/idle_scan.c nmap-2.54BETA30/idle_scan.c
--- idle_scan.cc	Sun Oct 14 11:38:26 2001
+++ idle_scan.cc	Thu Nov  8 21:07:40 2001
@@ -67,6 +67,7 @@
   int seqclass; /* IPID sequence class (IPID_SEQ_* defined in nmap.h) */
   u16 latestid; /* The most recent IPID we have received from the proxy */
   u16 probe_port; /* The port we use for probing IPID infoz */
+  u16 probe_flags; /* TCP flags for probes (SYN|ACK by default) */
   u16 max_groupsz; /* We won't test groups larger than this ... */
   double current_groupsz; /* Current group size being used ... depends on
                           conditions ... won't be higher than
@@ -124,7 +125,7 @@
     send_tcp_raw(proxy->rawsd, &(proxy->host.source_ip), &(proxy->host.host), 
 		 base_port + tries , proxy->probe_port, 
 		 seq_base + (packet_send_count++ * 500) + 1, ack, 
-		 TH_SYN|TH_ACK, 0, 
+		 proxy->probe_flags, 0, 
 		 NULL, 0, NULL, 0);
     sent++;
     tries++;
@@ -240,12 +241,17 @@
 
   proxy->max_groupsz = (o.max_parallelism)? o.max_parallelism : 100;
   proxy->max_senddelay = 100000;
+  proxy->probe_flags = TH_SYN|TH_ACK;
 
   Strncpy(name, proxyName, sizeof(name));
   q = strchr(name, ':');
   if (q) {
     *q++ = '\0';
     proxy->probe_port = strtoul(q, &endptr, 10);
+    if (endptr && *endptr == 's') {
+      proxy->probe_flags = TH_SYN;
+      endptr++;
+    }
     if (*q==0 || !endptr || *endptr != '\0' || !proxy->probe_port) {
       fatal("Invalid port number given in IPID zombie specification: %s", proxyName);
     }
@@ -308,7 +314,7 @@
     /* We can't use decoys 'cause that would screw up the IPIDs */
     send_tcp_raw(proxy->rawsd, &(proxy->host.source_ip), &(proxy->host.host), 
 		 o.magic_port + probes_sent + 1, proxy->probe_port, 
-		 sequence_base + probes_sent + 1, 0, TH_SYN|TH_ACK, 
+		 sequence_base + probes_sent + 1, 0, proxy->probe_flags, 
 		 ack, NULL, 0, NULL, 0);
     gettimeofday(&probe_send_times[probes_sent], NULL);
     probes_sent++;
@@ -418,7 +424,7 @@
       if (probes_sent) usleep(50000);
       send_tcp_raw(proxy->rawsd, first_target, &(proxy->host.v4hostip(), 
 		   o.ttl, o.magic_port, proxy->probe_port, 
-		   sequence_base + probes_sent + 1, 0, TH_SYN|TH_ACK, 
+		   sequence_base + probes_sent + 1, 0, proxy->probe_flags, 
 		   ack, NULL, 0, NULL, 0);
 
     }