Port scanning guide #1: TCP three way handshake

In this series I am going to delve in some theory of port scanning, which is essential of service identification within a TCP\IP network. The most popular tool used to do this inspection is nmap, however it is not the only one used to do it (Unicornscan and ZMap are the others). In cyber security it is very important to understand fundamentals, which obviously is port scanning. The two most often used types of scanning are TCP SYN and UDP. First, I will describe how TCP connection is formed.


Above term is used to describe how a TCP connection is established. Imagine situation – there is Mike and Kate. Mike wants to send a message to Kate via TCP on port 80. First thing that Mike has to do, is to check if Kate is accessible. He will open TCP connection to check this.

Mike - sends a TCP SYN to Kate on port 80   >>>     Kate
Kate - responds with a TCP SYN/ACK          >>>     Mike
Mike - sends a TCP/ACK                      >>>     Kate
                Connection is established

Let’s examine those steps:

  1. Mike sends a SYN request to Kate.
  2. Kate receives the request and if there is a listening process on port 80, she will respond with a TCP packet with the SYN/ACK flags set.
  3. Mike receives TCP SYN/ACK, checks the acknowledgement number (more about it here) and then can send the last part of handshake – TCP/ACK. At this point, both parties are successfully connected and can share data on via TCP socket.

Closed port

If there is a situation, when no service is running on Kate server in port 80, she will send response with TCP RST/ACK flags. After this request connection is terminated.

Mike - sends a TCP SYN to Kate on port 80   >>>     Kate
                  --- port is closed ---
Kate - responds with a TCP RST/ACK          >>>     Mike
                 Connection is terminated

Other responses

When scanning a network you have to bear in mind that not every one will go as you would like. On the server which is being scanned can run firewall which will drop your SYN requests, hence it will never reach a destination. Rarely, you can encounter situation when request reaches a server, but response is firewalled and dropped.