4 Replies Latest reply on Jan 10, 2011 2:09 PM by SteveSW

    How does the port scanner tool work?

    networkguy09

      Hello, I've been studying how port scanners work today and just want to run my thoughts by the group here. I used the port scanner tool in the engineer toolset to collect a packet capture to analyze. What I see is the scanner uses TCP to check each port by sending a SYN packet. If the port on the device does not have a service listening it responds with a RST, ACK (reset). What's interesting is the scanner checks the same port 2 more times, thus you end up with 6 frames totaling 366 bytes of traffic to check the status of a port. I am a bit mislead about the source port from the scanner because it changes with each port check (2398, 2402, 2403, 2404, etc.) Perhaps this is because the scanner is checking ports so fast and multiple ports at once it cannot use the same port number for everything. Other than that, I noticed something interesting when the scanner checks a port that is open on the client. SSH for example, the client responds back after the SYN, SYN/ACK, ACK exchange with an SSH protocol message. After that I see a FIN/ACK, ACK, FIN/PSH ACK, and finally an ACK. I don't quite understand the PSH (push flag) yet. Just wondering if I'm on the right track to completely understanding the flow of how this port scanner tool works.