Capturing the Responses

To capture the responding packets, SYNplescan uses the libpcap library. libpcap is covered in detail in Chapter 10.

To capture packets with the SYN and ACK flags set, as well as packets with the SYN and RST flags set, SYNplescan uses the following tcpdump -style filter to specify packets to capture from the wire:

char *filter = "(tcp[13] == 0x14) || (tcp[13] == 0x12)";

The tcp[13] value refers to the TCP flags value within the TCP header. In this case we are comparing these to the hardcoded values 0x14 (SYN and RST are set) and 0x12 (SYN and ACK are set). Then these values are used to provide output to the user on ports that are open or closed, as follows:

  if (tcp->th_flags == 0x14)
    {
      printf ("Port %d appears to be closed\n", ntohs (tcp->th_sport));
      answer = 0;
    }
  else
    {
      if (tcp->th_flags == 0x12)
      {
      printf ("Port %d appears to be open\n", ntohs (tcp->th_sport));
      answer = 0;
      }
    }

In addition to these cases, the SYNplescan tool also handles situations in which no response is obtained from the destination system. In these cases the initial SYN packets or the response packets might be filtered by a firewall. SYNplescan therefore assumes any port that doesn’t respond in a timeout period is filtered.

Get Network Security Tools now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.