joeserhal

Hi there,
I'm currently working on a PROJECT (so it can be clear) regarding port scan detection. I have written a code which is able to read all packets arriving on the device, and extract necessary information such as source & destination addresses, destination port, protocol used... Having done this, I have no idea how to proceed next regarding the actual the detection of a port scan...
I have some questions regarding this:

1) How can I know if a port being scanned is "open" or not (if the port is closed, and someone sends a packet/request to that port, doesn't it imply that it's an attack??)
2) Also, when I receive the packets, and I want to do a real-time/ live detection, should I only read the info in the packets and then determine whether it is an attack and discard after that the packet, OR do I have to store the packets in someway in order to use them later for the detection??

Can anybody provide with some info regarding this...I really need some help as I do not know how to proceed from this current point?!

Thanks

Wizard1988

Well for a port being open, I would say you would somehow check if there is a program/service listening for connection requests. For example if you wanted to get all the active phone numbers in a certain area code you could simply dial them one by one. If someone picks up then you say is an "open" port. This isn't a perfect analogy, because you would get a different signal, but I hope you still get the point.

__________________
JG-Webdesign

Jessehk

I don't know anything about this, but if I wanted to, I would look at the source for nmap. nmap is a fairly popular port-scanner for (Li, U)nix and you might get some ideas from it.

__________________
Dr. Zoidberg: [ecstatic] I'm going to a movie... with FRIENDS!

Wizard1988

This might help you a bit http://www.cs.wright.edu/~pmateti/Courses/499/Probing/

__________________
JG-Webdesign

joeserhal

Thanks for the info guys...I have another question: Do you know how I can modify the attached file to determine/print the values of the flags in the TCP header (I'm talking about the FYN, SYN, RST, ACK....flags) when I receive the packets??

Thanks again for the info!

Attached Files

grab_packets.c (9.5 KB, 4 views)

Ka0s

I'm supposing you dont want to do a port scanner but you want to detect if you're being target of a port scanner right?

In that case, the next thing i would do is to check if you receive connection requests from the same ip address but to a large number of different ports...
This is not perfect because the one who is port scanning you can spoof his ip address making connection requests with different ip numbers... but that's up to you to solve (but i dont think there's a real solution to this)