In this article we are going to explain about the IP scan and Port scan.

IP Scan

Checking the available IP address of a network is can be categories as an IP scan. The basic IP scanners do send a ping /ICMP echo request to targeted host /IP and wait for the ICMP echo reply while the end of the timeout period. The IP addresses which replies with the ICMP echo replies are available IPs.

ICMP Packet Header Format

ICMP packet header format
ICMP packet header format

An ICMP packet identified from the “type field” in the packet header.  If the type includes 8, the packet is the ICMP echo request. If the type value has 0, it is an ICMP echo reply

Other Common ICMP Type Codes

  • Type 3- Destination Unreachable
  • Type 5- Redirect Message
  • Type 11- Time Exceeded
  • Type 13- Timestamp

Port Scan

Sending large requests to multiple ports on target hosts within a small time period can classify as a port scan. The motivation of a port scan can be varied by the user, but the main reason for a port scan is to find open ports.

Port Scanning Methods

There are few available port scanning methods.

  1. TCP connections
    This is a basic method of a port scan. Open a TCP connection to ports on the targeted host. A successful connection is opened for open/available ports.
  2. UDP scanning
    UDP is a connectionless protocol. Because of that, it can’t confirm the sates of the connection. But the UDP packets were sent to closed ports, an ICMP port unreachable error message will generate. A tool can map these messages with the ports to get available ports.
  3. SYN Scanning
    As TCP/IP basics, a response to an SYN packet is SYN-ACK packets. If there is a connection, there should be an SYN-ACK for every SYN. In this method, the tool generates and sends the SYN packet to targeted ports on the host. If the port is open, SYN-ACK is the result. Then the tool sends a RST packet to close the connection. The result of the SYN packet to closed port is a RST packet. These results can be mapped with the ports.
  4. FIN scanning
    Normal TCP/IP behavior to FIN packet is ignoring it. But the tool sends a FIN packet to the closed port of a host, it will respond with RST pack. This can be mapped with open ports. Since this is normal behavior this is a stealth port scanning method.

The port number is ranging from 0 to 65535.

TCP Socket Connection

To establish a connection between 2 sockets normal TCP 3-way handshake must be completed. A 3-ways handshake process as follows.

3 way handshakes
3 Way Handshakes
  1. HostA sends SYN packet to HostB with the sequence number “a”.
  2. HostB reply back to HostA with a SYN-ACK packet. It has the sequence number “x” and acknowledges number “a+1”.
  3. Host A reply back to HostB with ACK. Acknowledge number is “x+1″.

This article has 1 comments

  1. Pingback: Developing A Network Monitoring Tool Using CISCO NetFlow: Part 2Best Device Guide

Leave a Comment

Your email address will not be published. Required fields are marked *