Even though an eight-bit field like TTL can never hold values greater than 0xFF,
this test occasionally results in values of 0x100 or higher. This occurs when
a system (could be the source, a target, or a system in between) corrupts or
otherwise fails to correctly decrement the TTL. It can also occur due to asymmetric routes.
The fingerprint file contains TTL values that can exceed 8 bits. Honeyd was just stuffing them in an 8 bit field of the TCP header and causing underflows resulting in incorrect personality matches. This was somewhat fixed in f0cd3ebfe2d282a8c6245c66173b2bd492b617aa.
However, some personalities (about 56) have hard coded values for a TTL that are greater than 0xFF. This is used internally in nmap to represent certain conditions, and they aren't real TTL fields. In order to make these 56 or so personalities match correctly, we need to dig through the nmap code and find out what each of these values actually means, and how to mimic the things that cause them with honeyd packets.
A random example of this type of personality for later testing,
331 # Huawei S3928P-EI switch VRP software, Version 3.10
332 # 3Com Switch 4210 26-Port Software Version 3Com OS V3.01.01s56, Bootrom Version is 4.01
333 # Quidway S5624F, VRP software, Version 3.10, Release 1510P02
334 Fingerprint 3Com 4210, or Huawei Quidway S3928P-EI or S5624F switch (VRP 3.10)
335 Class 3Com | embedded || switch
336 Class Huawei | VRP | 3.X | switch
337 CPE cpe:/o:huawei:vrp:3 auto
338 SEQ(SP=FF-109%GCD=1-6%ISR=105-111%TI=I%II=I%SS=S%TS=U)
339 OPS(O1=M200%O2=M200%O3=M200%O4=M200%O5=M200%O6=M200)
340 WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
341 ECN(R=Y%DF=N%T=100%TG=FF%W=2000%O=M200%CC=N%Q=)
342 T1(R=Y%DF=N%T=100%TG=FF%S=O%A=S+%F=AS%RD=0%Q=)
343 T2(R=N)
344 T3(R=Y%DF=N%T=100%TG=FF%W=1FC4%S=O%A=O%F=A%O=%RD=0%Q=)
345 T4(R=Y%DF=N%T=100%TG=FF%W=2000%S=A%A=Z%F=R%O=%RD=0%Q=)
346 T5(R=Y%DF=N%T=100%TG=FF%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
347 T6(R=Y%DF=N%T=100%TG=FF%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
348 T7(R=Y%DF=N%T=100%TG=FF%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
349 U1(DF=N%T=100%TG=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=0%RUD=G)
350 IE(DFI=S%T=100%TG=FF%CD=S)
From the nmap manual,
The fingerprint file contains TTL values that can exceed 8 bits. Honeyd was just stuffing them in an 8 bit field of the TCP header and causing underflows resulting in incorrect personality matches. This was somewhat fixed in f0cd3ebfe2d282a8c6245c66173b2bd492b617aa.
However, some personalities (about 56) have hard coded values for a TTL that are greater than 0xFF. This is used internally in nmap to represent certain conditions, and they aren't real TTL fields. In order to make these 56 or so personalities match correctly, we need to dig through the nmap code and find out what each of these values actually means, and how to mimic the things that cause them with honeyd packets.
A random example of this type of personality for later testing,