Protocols and Types of Scans

A few things you should think about when evaluating vendors for network scanners.

One notable aspect of network scanners is their protocol dependence. Most scanners out there are TCP/IP-savvy. While it's true that TCP/IP is routed over the Internet, if you have a VPN or other "tunnel" connection to your network, you should ideally test all protocols enabled on the machines you're trying to secure. Unfortunately, few scanners provide capabilities for scanning networks with IPX, AppleTalk or other protocols enabled. When evaluating vendors for network scanners, be sure to ask about supported protocols—but don't be surprised if there are very few on the list.

There are several different types of TCP or UDP port scans. These scans can be used for various reasons, such as discovering open ports on a host behind a firewall (if the firewall's stateful inspection features aren't strong enough), gathering more information about the firewall itself, or preventing the scanned computer from noticing the scan. Some of the more popular types of TCP scans are TCP connect, SYN, FIN, Xmas Tree, and NULL. These different types of scans depend on manipulating the properties of the TCP/IP packet. A detailed description of TCP/IP packet parameters is beyond the scope of this article, but you can find more detailed technical information at

TCP connect scanning is the most basic form of scanning. The connect system call provided by the OS is used to open a connection to all interesting ports on the target. If the port's open, connection will succeed. Otherwise, the scanner knows the port's closed. This sort of scan is easily detectable, since the target will be able to log established connections.

TCP SYN scanning is referred to as "half-open" scanning, because the scanner doesn't establish a full TCP connection. The scanner sends a SYN packet, as if trying to open a real connection. A returned SYN|ACK packet indicates the port's listening. A RST packet means the port is closed. However, if a SYN|ACK is received, a RST is immediately sent back to prevent the host from opening a connection.

Stealth FIN, Xmas Tree or NULL scans can sometimes be more efficient than a SYN scan in passing through the firewalls and packet filters watching for unauthorized SYN requests. Closed ports are required to reply to your probe packet with an RST, while open ports must ignore the packets in question, allowing the scanner to establish which ports are open.

A UDP scan discovers which UDP ports are open on the target. The scanner usually sends 0 byte UDP packets to each port on the target host. If the scanner receives an "ICMP port unreachable" message, then the port is closed. Otherwise, the port must be open.

ACK scanning is an advanced method usually used to map out firewall rule sets. It can also help determine whether a firewall is stateful or just a simple packet filter that blocks incoming SYN packets.

About the Author

Greg Saoutine, MCSE, is an IT Consultant working in New York City.


  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.