Capturing the Responses
To capture the responding packets, SYNplescan uses the libpcap library. libpcap is covered in detail in Chapter 10.
To capture packets with the SYN
and
ACK
flags set, as well as packets with the
SYN
and RST
flags set,
SYNplescan uses the following
tcpdump
-style
filter to specify packets to capture from the wire:
char *filter = "(tcp[13] == 0x14) || (tcp[13] == 0x12)";
The tcp[13]
value refers to the TCP flags value
within the TCP header. In this case we are comparing these to the
hardcoded values 0x14
(SYN
and
RST
are set) and 0x12
(SYN
and ACK
are set). Then
these values are used to provide output to the user on ports that are
open or closed, as follows:
if (tcp->th_flags == 0x14) { printf ("Port %d appears to be closed\n", ntohs (tcp->th_sport)); answer = 0; } else { if (tcp->th_flags == 0x12) { printf ("Port %d appears to be open\n", ntohs (tcp->th_sport)); answer = 0; } }
In addition to these cases, the SYNplescan tool also handles
situations in which no response is obtained from the destination
system. In these cases the initial SYN
packets or
the response packets might be filtered by a firewall. SYNplescan
therefore assumes any port that doesn’t respond in a
timeout period is filtered.
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.