From 31c01cf1073d8416dbfc946631ad75e383137160 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Sat, 10 Jan 2009 05:23:43 +0100
Subject: [PATCH] portscan: update manpage about --grscan caveats

---
 extensions/libxt_portscan.man | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/extensions/libxt_portscan.man b/extensions/libxt_portscan.man
index 60a4c1a..aaa162f 100644
--- a/extensions/libxt_portscan.man
+++ b/extensions/libxt_portscan.man
@@ -20,7 +20,11 @@ connection was torn down after completion of the 3-way handshake.
 \fB--grscan\fR
 Match if data in the connection only flew in the direction of the remote side,
 e.g. if the connection was terminated after a locally running daemon sent its
-identification. (e.g. openssh)
+identification. (E.g. openssh, smtp, ftpd.) This may falsely trigger on
+warranted single-direction data flows, usually bulk data transfers such as
+FTP DATA connections or IRC DCC. Grab Scan Detection should only be used on
+ports where a protocol runs that is guaranteed to do a bidirectional exchange
+of bytes.
 .PP
 NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
 so be advised to carefully use xt_portscan in conjunction with blocking rules,