This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

After capturing packets of an nmap scan: nmap –PN –scanflags PSHSYN –g 53 –p 22,80 [target] I found one respond from the target with ACK and RST flags set on port 80 I also found 4 responds from the target with ACK and SYN flags set on port 22

Does it indicate that the ports are open or closed ? I was thinking that if you get a respond with ACK and RST flags set for port 80 it means that it is closed, however I am not sure if port 22 is closed or open. I also do not know why I have one respond packet for port 80(http) but four for port 22(ssh).

Thanks for your help

asked 05 Nov '12, 18:15

tomala's gravatar image

tomala
1112
accept rate: 0%

edited 05 Nov '12, 18:33


If you get a SYN,ACK for a SYN packet (your nmap scan on port 22), that most certainly means, that the port is open. However, it is hard to say why you get 4 responses without some information about the environment and the full capture file. Maybe nmap sent 4 SYN packets and thus you received 4 SYN,ACK !?!

If you want to know if the port is open, just open a connection to it. If you see the banner of the ssh daemon, the port is obviously open.

UPDATE

I also do not know why I have one respond packet for port 80(http) but four for port 22(ssh).

if that was caused by the same nmap scan, there could be "something" between the nmap scanner and the target that generated the answer packets. This "something" could be a firewall with a REJECT rule for port 80 and possibly some SYN Defender module for port 22. However, it would still be unclear why you get 4 answer packets for one SYN packet on port 22. As I said: Without further information about the environment and without the full capture file, it's hard to make any good assumptions.

Regards
Kurt

permanent link

answered 06 Nov '12, 01:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 06 Nov '12, 01:43

The RST flag on port 80 means it is closed but not firewalled. If you get SYN/ACK flags on port 22 it means it is open and responds to connection requests.

permanent link

answered 06 Nov '12, 01:16

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

could'nt it be a firewall with a REJECT rule instead of a DROP rule?

(06 Nov '12, 01:27) Kurt Knochner ♦

yep, agreed, but that is very uncommon :-)

(06 Nov '12, 01:37) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×248
×139
×69
×55
×4

question asked: 05 Nov '12, 18:15

question was seen: 7,811 times

last updated: 06 Nov '12, 01:43

p​o​w​e​r​e​d by O​S​Q​A