This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Open closed ports

0

After capturing packets of an nmap scan: nmap –PN –scanflags PSHSYN –g 53 –p 22,80 [target] I found one respond from the target with ACK and RST flags set on port 80 I also found 4 responds from the target with ACK and SYN flags set on port 22

Does it indicate that the ports are open or closed ? I was thinking that if you get a respond with ACK and RST flags set for port 80 it means that it is closed, however I am not sure if port 22 is closed or open. I also do not know why I have one respond packet for port 80(http) but four for port 22(ssh).

Thanks for your help

asked 05 Nov '12, 18:15

tomala's gravatar image

tomala
1112
accept rate: 0%

edited 05 Nov '12, 18:33


2 Answers:

0

If you get a SYN,ACK for a SYN packet (your nmap scan on port 22), that most certainly means, that the port is open. However, it is hard to say why you get 4 responses without some information about the environment and the full capture file. Maybe nmap sent 4 SYN packets and thus you received 4 SYN,ACK !?!

If you want to know if the port is open, just open a connection to it. If you see the banner of the ssh daemon, the port is obviously open.

UPDATE

I also do not know why I have one respond packet for port 80(http) but four for port 22(ssh).

if that was caused by the same nmap scan, there could be "something" between the nmap scanner and the target that generated the answer packets. This "something" could be a firewall with a REJECT rule for port 80 and possibly some SYN Defender module for port 22. However, it would still be unclear why you get 4 answer packets for one SYN packet on port 22. As I said: Without further information about the environment and without the full capture file, it's hard to make any good assumptions.

Regards
Kurt

answered 06 Nov '12, 01:15

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 06 Nov '12, 01:43

0

The RST flag on port 80 means it is closed but not firewalled. If you get SYN/ACK flags on port 22 it means it is open and responds to connection requests.

answered 06 Nov '12, 01:16

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

could'nt it be a firewall with a REJECT rule instead of a DROP rule?

(06 Nov '12, 01:27) Kurt Knochner ♦

yep, agreed, but that is very uncommon :-)

(06 Nov '12, 01:37) Jasper ♦♦