Packetwatch.net

Port Scanning (Status of Ports)


Here are some ideas I came up with for the port states in Nmap. These are just ideas I haven't finished some of the port states because I'm not sure how to make the checks.

TCP Ports
------------
Open - SYN ACK reply from the remote host, reply came back with the same field values
Closed - RST ACK reply from the remote host, reply came back with the same field values
Filtered - No reply, packet was dropped
Firewalled - Reply came back from packet normalization device, reply came back with altered values

UDP Ports
------------
Open - No reply ?
Closed - ICMP Destination Unreachable (Port Unreachable) reply from the remote host, reply came back with the same field values
Filtered - No reply ?
Firewalled - Reply came back from packet normalization device, reply came back with altered values

Here's some information relating to the firewalled port status. These are two main groups of network devices that can alter packet field values.

  • packet normalization devices: OpenBSD pf, anti-fingerprinting devices, and newer CheckPoint devices
  • routers (hardware and software): routers that interface between two networks with different MTU's and force performance settings, hardware DSL routers do this; Linux and *BSD can alter MSS settings as well

I've been trying to figure out which field values the sender has control over, so that I can determine if a packet-altering network device has modified some field values in a packet I've sent. Here is what I've come up with thus far.

TCP packets
--------------
IP - Source IP Address
IP - Destination IP Address
TCP - Source Port Number
TCP - Destination Port Number
TCP - Sequence Number

UDP packets
--------------
IP - Source IP Address
IP - Destination IP Address
UDP - Source Port Number
UDP - Destination Port Number

Email me if you have any ideas along these lines.


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.