Packet analysis tools and methodology (Part 1)

If you would like to see the other articles in this series please read

Port scanners and scan types

When one thinks of the internet several things come to mind readily. First and foremost is probably spam, but a close second are the endless port scans. These endless port scans are also one of the most misunderstood things by anyone else but the seasoned network security analyst. There is little reason really for the average computer enthusiast to learn the miscellanea of port scanning and TCP/IP stimulus. It is in their best interest to understand the various scan types though, and to realize just what a scan is and means.

On the forum message boards www.security-forums.com we are often asked about these evil port scans. New computer users often panic when their firewall fires off an alert like “attempted subseven connection on port 27374” and the such.

Meet the heavyweights!

Pretty much in every area of endeavor there are products that stand out above others. The world of computer security/hacking, is no exception to this phenomenon. When it comes to tools for the computer security savvy, linux still rules the sea’s. There is no arguing that Windows still reigns as the de-facto operating system of choice for computer networks. Realizing this one should try and leverage the best of both worlds. With this in mind some of the most popular linux based security tools have been ported to the win32 environment. Most notable among them is the undisputed King of network scanners nmap. Another heavyweight port scanner is hping. The main difference between them is that nmap can scan a range of IP addresses, while hping can only port scan one individual IP address. I like to compare them as “the broadsword to the rapier”. While nmap can scan ranges of IP addresses, hping is far stealthier, but can only scan one IP address at a time. More on the stealth later. Another network scanner worthy of mention is superscan. While superscan is not as functional, or fully featured as nmap, it is still a good scanner nonetheless. One last note on these scanners; make sure you install the dependencies. All of these scanners, whether they are in win32 or linux, require winpcap or libpcap respectively to work.

Enough talk, more action!

Well now that we have the main players introduced it is time to get down to business. What we shall do is use hping to document at the packet level the various types of scans that you may, or realistically, probably will see on your network. While I will chronicle the command syntax for hping I won’t spend a great deal of time on it. There are many excellent tutorials for it out there. We will show the main scan types in use today by all and sundry; syn scan, rst scan, ack scan, and the udp scan. While this is not an exhaustive list, it does cover the most often seen ones. It is not really enough to only read about these things, it is most important to also visualize them. With that statement in hand I shall create a specific scan type, whilst also showing it at the packet level.

SYN scan

hping -S 192.168.1.100 -c 1 -p 80
14:08:49.973455 IP (tos 0x8, ttl  64, id 64574, offset 0, flags [none],
length: 40) 192.168.1.102.2640 > 192.168.1.100.80: S [tcp sum ok]
1104445670:1104445670(0) win 512
 0x0000:  4508 0028 fc3e 0000 4006 fa6e c0a8 0166  E..(.>[email protected]…f
 0x0010:  c0a8 0164 0a50 0050 41d4 80e6 4ad4 27ec  …d.P.PA…J.’.
 0x0020:  5002 0200 e9ac 0000                                     P…….




The SYN is perhaps one of the most common scans out there today. Doing such a scan will give you a definite answer, as to whether or not there is a service listening on a specific port. If there is a service such as say HTTP listening on port 80 then that would elicit a SYN/ACK. That response would mean that there is indeed something listening on that port for connections to it. Conversely if your SYN resulted in a RST/ACK then that would mean that there is no service listening on the port you targeted.

RST scan

hping -R 192.168.1.100 -c 1 -p 80

19:54:57.669980 192.168.1.102.1239 > 192.168.1.100.80: R 1975237774:1975237774(0) win 512
0x0000 4500 0028 890e 0000 4006 00bf xxxx xxxx  E..(…[email protected]….r.|
0x0010 xxxx xxxx 04d7 0050 75bb bc8e 631c a4e4  .r……r…c….
0x0020 5004 0200 7dbb 0000                                     P…}..


What we have here is a RST scan. That would be a scan in which only the RST bit is set in the TCP flags byte. That specific byte would be offset 13 in the TCP header. Remember that you should start counting from 0. In this case that would be byte 04 on line 00×0020. You can see that the value represented there is 04 in hexadecimal, which is also four in decimal. That numerical value denotes the RST flag in the TCP flag field. Looking at this field in the future will always tell you what, if any, flags are set.

What are RST scans used for? Well an RST scan is also known as inverse mapping. This scan type is not as well known as the SYN scan seen above, but is nonetheless very effective. Not only that, but it is also largely ignored on some intrusion detection systems. If you send out an RST packet to scan a port, you will get one of two things; no response, or an ICMP host unreachable packet. If you get no response, and by that I mean literally no packet is sent back to you, then that means the host you have probed is in all likelihood up and running. Should you get the ICMP host unreachable packet then that means that the IP address you probed is not assigned. Not a bad scan now is it? Pretty sneaky I would say.

ACK Scan

hping -A 192.168.1.100 -c 1 -p 80

14:14:43.545975 IP (tos 0x8, ttl  64, id 42390, offset 0, flags [none],
length: 40) 192.168.1.102.2497 > 192.168.1.100.80: . [tcp sum ok] ack
473846278 win512
0x0000:  4508 0028 a596 0000 4006 5117 c0a8 0166  E..(…[email protected]….f
0x0010:  c0a8 0164 09c1 0050 1f48 d03f 1c3e 5206    …d…P.H.?.>R.
0x0020:  5010 0200 c1dc 0000                                      P…….




What we have here is known as the ACK scan. What are its uses? If you know your TCP/IP then you know that it should probably be of limited value. Not quite really. This type of scan is useful in determining what type of firewall is in use on a specific network. By that I mean, does the firewall employ SPI or stateful packet inspection. What that means in essence is that the firewall will track the sessions as they traverse it. If a client computer on the inside of the network fires up its browser and brings down the homepage of Google for instance, a series of events take place. The firewall will make note of the source and destination address plus the source and destination ports used. That way only a packet inbound to the client computers IP address (which in all likelihood has been nat’ed) and source port, with a matching destination address and port, will be allowed in.

This is an excellent way of disallowing inbound connection attempts. So if you send an ACK packet to a network which has a firewall with SPI it will simply be quietly discarded. If the network or host does not have such a firewall then you will get a RST packet back. This happens because the computer receiving it is not aware of any such connection, thus the RST packet is sent back to you.

UDP Scan

hping -2 192.168.1.100 -c 1 -p 53

14:27:09.947037 IP (tos 0x10, ttl  64, id 22934, offset 0, flags [none],
length: 28) 192.168.1.102.2695 > 192.168.1.100.53: [udp sum ok] [|domain]
0x0000:  4510 001c 5996 0000 4011 9d10 c0a8 0166  E…Y…@……f
0x0010:  c0a8 0164 0a87 0035 0008 7107                      …d…5..q.


Rounding out our scan types is the UDP scan. This is useful for discovering UDP based services such as DNS. If you send a UDP packet to a computer which has a service listening you will get nothing back. Should that same computer have no service listening on that port you will get an ICMP port unreachable message back. Pretty nifty isn’t it? That is the way that UDP communicates such conditions; via ICMP messages. If you remember, had we sent a SYN packet which is TCP it would of elicited a RST packet if there was no service listening.

Final thoughts

This type of information should be second nature to a pen-tester, or one interested in the minutiae of TCP/IP. Secondly, while nmap is a very powerful network scanner, whether it be win32 or linux based, it has many intrusion detection signatures for it. If you are doing a pen-test where stealth is the key, then hping is far superior due to its ability to send only one packet at a time or more if desired. That can be useful to probe firewall configurations. Lastly, due to the granular control that hping offers you, there are no known signatures for it that I am aware of. Before I forget as well, there is another excellent packet crafter for the win32 world; nemesis. It will not only do routed protocols, but also routing ones. While there are a great many tools for the win32 environment to help you secure your networks, you would be wise to delve down in the weeds every now and again at the packet level.

If you would like to see the other articles in this series please read


Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top