Port function and scanning

Dear Group,

Having recently had troubles with intrusion into my PC I have
contacted this group and received a great response.

May I aks for further help. I would like to get answers to the
following questions:

1. Is there a good internet document describing ports, their
function and role, particularly for the windows OS?

2. Are there trustworthy port scanning services available?
Is for example http://www.auditmypc.com/firewall-test.asp
one of them?

Thank you
GR.

Re: Port function and scanning

> 1. Is there a good internet document describing ports, their
> function and role, particularly for the windows OS?

Cheswick on firewalls is a bit outdated, but a good start.

http://www.amazon.com/Firewalls-Internet-Security-Repelling- Hacker/dp/020163466X/

Defining list:

http://www.iana.org/assignments/port-numbers


> 2. Are there trustworthy port scanning services available?
> Is for example http://www.auditmypc.com/firewall-test.asp
> one of them?

How would you know? Do ou trust the answers you get here more than
someone witha webpage?

Take a second PC and use nmap.

http://insecure.org/nmap/download.html

Keep in mind, that a portnumber is just an address. In house 25 usually
lives a mail server. But it may be something completely different.

Cheers,
Jens

Re: Port function and scanning

NoSpam wrote:


> 1. Is there a good internet document describing ports, their
> function and role,


RFC 793 ff.

> 2. Are there trustworthy port scanning services available?




> Is for example http://www.auditmypc.com/firewall-test.asp
> one of them?


Definitely not.

Re: Port function and scanning

GR wrote:
> Is there a good internet document describing ports, their
> function and role, particularly for the windows OS?

Start here: http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

> Are there trustworthy port scanning services available?

Try www.derkeiler.com/Service/PortScan.

-Gary

Re: Port function and scanning

NoSpam wrote:
> 1. Is there a good internet document describing ports, their
> function and role, particularly for the windows OS?

Ports are a concept being part of the TCP/IP protocol family. This has
nothing to do with Windows. Just read the RFCs, or try Richard Stevens'
"UNIX Network Programming".

You could start here, too: http://en.wikipedia.org/wiki/TCP/IP

> 2. Are there trustworthy port scanning services available?

Better scan yourself, i.e. using nmap. Port scanning web services are
b0rken by concept, because they cannot determine, if your machine has
open ports or if the network in between modifies traffic.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Port function and scanning

Dear Volker,

Thank you for your attention to my post.

You wrote:
>Better scan yourself, i.e. using nmap. Port scanning web services are
>b0rken by concept, because they cannot determine, if your machine has
>open ports or if the network in between modifies traffic

I am not familiar with programming and related tasks. I have been
burned recently by malware and want to make sure it does not
happen again.

A Symantec scan has recently shown that all my parts are secure, except
the "ping" port, whatever that means.

Your advice to use nmap seems to be a good one and I would like
to use it. There is however a learning curve involved. Before I climb
it, I would like to make sure nmap will serve my purpose. I have a
stand alone PC connected to the net through an ISP. Can I use such
a configuration to scan my own ports?

Greetings and thanks
GR.

"Volker Birk" wrote in message
news:467e3651@news.uni-ulm.de...
> NoSpam wrote:
> > 1. Is there a good internet document describing ports, their
> > function and role, particularly for the windows OS?
>
> Ports are a concept being part of the TCP/IP protocol family. This has
> nothing to do with Windows. Just read the RFCs, or try Richard Stevens'
> "UNIX Network Programming".
>
> You could start here, too: http://en.wikipedia.org/wiki/TCP/IP
>
> > 2. Are there trustworthy port scanning services available?
>
> Better scan yourself, i.e. using nmap. Port scanning web services are
> b0rken by concept, because they cannot determine, if your machine has
> open ports or if the network in between modifies traffic.
>
> Yours,
> VB.
> --
> "Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
> geschützt wird, die seinem Ziel und seinem Geist zuwider sind."
>
> Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Port function and scanning

NoSpam wrote:


>> Better scan yourself, i.e. using nmap. Port scanning web services are
>> b0rken by concept, because they cannot determine, if your machine has
>> open ports or if the network in between modifies traffic
>
> I am not familiar with programming and related tasks.


Well, if you're not, then you should not fiddle around with network-related
tasks. Pay a competent service for doing so.

> A Symantec scan has recently shown that all my parts are secure, except
> the "ping" port, whatever that means.


Yes, that shows exactly what to think about this POS.

> Your advice to use nmap seems to be a good one and I would like
> to use it. There is however a learning curve involved. Before I climb
> it, I would like to make sure nmap will serve my purpose. I have a
> stand alone PC connected to the net through an ISP. Can I use such
> a configuration to scan my own ports?


Now even that should be clear to someone with almost no networking
experience: No. Scanning involves sending requests and receiving replies,
now that's where you need a second machine (or someone carefully bouncing
all traffic forth and pack, but you won't any such machine).

That's why I recommended .
This is more or less an interactive web service for Nmap, even though it's a
little bit outdated.

Re: Port function and scanning

NoSpam wrote:

> Your advice to use nmap seems to be a good one and I would like
> to use it. There is however a learning curve involved. Before I climb
> it, I would like to make sure nmap will serve my purpose. I have a
> stand alone PC connected to the net through an ISP. Can I use such
> a configuration to scan my own ports?

If you have a friend running Linux, or is prepared to run a 'Live' Linux
off a CD on his machine (DSL is probably the simplest), you could give
him your ipaddress (run 'ipaddress' from a windows console) and get him
to scan your machine with nmap.

Jim Ford

Re: Port function and scanning

> If you have a friend running Linux,

There is a version for nmap on windows.

Cheers,
Jens

Re: Port function and scanning

Dear Jim,

Is the proper command for finding one's IP address not
'ipconfig' run from the command prompt?

I don't get a result for putting in 'ipaddress'.

Than you
GR.

"Jim Ford" wrote in message
news:EQyfi.6834$aJ3.2775@newsfe4-gui.ntli.net...
> NoSpam wrote:
>
> > Your advice to use nmap seems to be a good one and I would like
> > to use it. There is however a learning curve involved. Before I climb
> > it, I would like to make sure nmap will serve my purpose. I have a
> > stand alone PC connected to the net through an ISP. Can I use such
> > a configuration to scan my own ports?
>
> If you have a friend running Linux, or is prepared to run a 'Live' Linux
> off a CD on his machine (DSL is probably the simplest), you could give
> him your ipaddress (run 'ipaddress' from a windows console) and get him
> to scan your machine with nmap.
>
> Jim Ford

Re: Port function and scanning

> Is the proper command for finding one's IP address not
> 'ipconfig' run from the command prompt?

Yes, that is one of the possible ways.

Re: Port function and scanning

Dear Sebastian,

I do not follow some of your writing and some of your thoughts.
May be you could be specific.

I wrote:
> >A Symantec scan has recently shown that all my ports are secure,
>>except the "ping" port, whatever that means.
and you replied:
>Yes, that shows exactly what to think about this POS.
Now I still do not know what to think and I also do not know what a
POS is.

You advised me to use
> That's why I recommended .
> This is more or less an interactive web service for Nmap, even though
>it's a little bit outdated.
This service however requires me to install nmap, something which you
advised me a few paragraphs earlier not to do by stating:
> Well, if you're not, then you should not fiddle around with
network-related
> tasks. Pay a competent service for doing so.

Best regards
GR.

Re: Port function and scanning

> This service however requires me to install nmap,

No it doesn't.

It says: "You should download and install nmap from
http://www.Insecure.org/nmap" and not:

"You should download and install nmap".


Your scan result is a bit further down on the same page.

Greetings,
Jens

Re: Port function and scanning

NoSpam wrote:
> Dear Jim,
>
> Is the proper command for finding one's IP address not
> 'ipconfig' run from the command prompt?

Yes - sorry!
8^(

Re: Port function and scanning

NoSpam wrote:


>>> A Symantec scan has recently shown that all my ports are secure,
>>> except the "ping" port, whatever that means.
> and you replied:
>> Yes, that shows exactly what to think about this POS.
> Now I still do not know what to think and I also do not know what a
> POS is.


"pile of shit"

> You advised me to use
>> That's why I recommended .
>> This is more or less an interactive web service for Nmap, even though
>> it's a little bit outdated.
> This service however requires me to install nmap,


No, it doesn't. Why do you think so? This service offer you an online port
scan with Nmap, by your command line (with some filtering) as input and the
full Nmap output as the output.

Re: Port function and scanning

NoSpam wrote:
> Dear Jim,
>
> Is the proper command for finding one's IP address not
> 'ipconfig' run from the command prompt?
>
> I don't get a result for putting in 'ipaddress'.

Keep console closed and don't type commands you are not familiar with.
Check this site.
http://ip-address.domaintools.com/

BTW You don't even have to know your IP, just send an e-mail to your
nmap friend, and don't disconnect/reconnect your connection. He will
know what to do.

Re: Port function and scanning

Post removed (X-No-Archive: yes)

Re: Port function and scanning

Dear John,

Great suggestion, BUT how can one be sure that the software is safe?

GR.

> A neat little program for Windows is IP2 by Robin Keir. It even shows
your
> computer's lan IP and WAN IP if you are behind a nat router. It's all of
8K
> size for zip download. Extracted to disk the .exe file is 14K. There are
no
> other files involved nor created by the program later.
>
> http://keir.net/ip2.html
>
> There's also other neat utilities on his site at
>
> http://keir.net/software.html
>
> --
> John Gray
>
> If you don't have a reason, at least have an excuse.

Re: Port function and scanning

NoSpam wrote:
> I am not familiar with programming and related tasks.

To understand, that a port just is a maintainance number, and what it's
for, it could be a good idea to change that a little bit.

> A Symantec scan has recently shown that all my parts are secure, except
> the "ping" port, whatever that means.

It means nonsense. There is no such thing like a "ping port". Why I'm
not surprised to find horseplay in a Symantec's text? ;-)

> Your advice to use nmap seems to be a good one and I would like
> to use it. There is however a learning curve involved. Before I climb
> it, I would like to make sure nmap will serve my purpose. I have a
> stand alone PC connected to the net through an ISP. Can I use such
> a configuration to scan my own ports?

In such a configuration, you don't need any port scanner at all. Just
use the netstat command to determine, which ports are used by which
processes.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Port function and scanning

Post removed (X-No-Archive: yes)

Re: Port function and scanning

NoSpam wrote:
>> A neat little program for Windows is IP2 by Robin Keir. It even
>> shows your computer's lan IP and WAN IP if you are behind a nat
>> router. It's all of 8K size for zip download. Extracted to disk the
>> .exe file is 14K. There are no other files involved nor created by
>> the program later.
>>
>> http://keir.net/ip2.html
>>
>> There's also other neat utilities on his site at
>>
>> http://keir.net/software.html
>
> Great suggestion, BUT how can one be sure that the software is safe?

You read the source code. Can't do that? Then you have to trust the
author.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Port function and scanning

John Gray wrote:


> I've used several of his utilities, including K9, a Bayesian antispam POP3
> local proxy. All are small, and I've never had malware.


That doesn't matter, since I doubt that you're competent enough to recognize
a serious compromise.

However, the real reason is that K9 has a certain reputation. Beside being
utterly useless.

> Search around and check out Robin Keir's reputation. I think you'll
> feel comfortable after a thorough check. He participates regularly in GRC
> usenet, especially GRC.Spam, GRC.security, and GRC.privacy.


Well, this is exactly the contrary of reputation. Anyway, Keir is known to
dispute a lot of shit posted there (BTW, this stuff is NOT Usenet).

> Especially, look at Hash on keir.net as it's great for checksums on files

Now either this irony bites so hard that I fail to recognize it, or you're a
total fool.

Re: Port function and scanning

Dear Sebastian,

It is your messages I would be inclined to distrust most.
My reasons are:

First of all your composition is faulty. One never knows who you are
addressing or just what you are saying.

Secondly you rely upon personal insults and other offensive ways to
display contempt for everything, particularly corporations, and you do
not exempt individuals from your gall either.

Thirdly, you never come up with anything remotely useful, but limit
yourself to declare almost everything which somebody else thinks
is of value as worthless.

I think the best use for your diatribes is to read them for entertain-
ment rather than for serious consideration.

GR.

"Sebastian G." wrote in message
news:5e9uq3F37i540U1@mid.dfncis.de...
> John Gray wrote:
>
>
> > I've used several of his utilities, including K9, a Bayesian antispam
POP3
> > local proxy. All are small, and I've never had malware.
>
>
> That doesn't matter, since I doubt that you're competent enough to
recognize
> a serious compromise.
>
> However, the real reason is that K9 has a certain reputation. Beside being
> utterly useless.
>
> > Search around and check out Robin Keir's reputation. I think you'll
> > feel comfortable after a thorough check. He participates regularly in
GRC
> > usenet, especially GRC.Spam, GRC.security, and GRC.privacy.
>
>
> Well, this is exactly the contrary of reputation. Anyway, Keir is known to
> dispute a lot of shit posted there (BTW, this stuff is NOT Usenet).
>
> > Especially, look at Hash on keir.net as it's great for checksums on
files
>
> Now either this irony bites so hard that I fail to recognize it, or you're
a
> total fool.

Re: Port function and scanning

Dear Ansgar-59cobalt- Wiechers,

Great suggestion to read the source code to remove doubts but not very
practical. Consider the time it takes, the different kinds of computer
languages
and versions, the subroutines involved!

It is best to offer practical suggestions!

GR.

"Ansgar -59cobalt- Wiechers" wrote in message
news:f5ocglUthvL2@news.in-ulm.de...
> NoSpam wrote:
> >> A neat little program for Windows is IP2 by Robin Keir. It even
> >> shows your computer's lan IP and WAN IP if you are behind a nat
> >> router. It's all of 8K size for zip download. Extracted to disk the
> >> .exe file is 14K. There are no other files involved nor created by
> >> the program later.
> >>
> >> http://keir.net/ip2.html
> >>
> >> There's also other neat utilities on his site at
> >>
> >> http://keir.net/software.html
> >
> > Great suggestion, BUT how can one be sure that the software is safe?
>
> You read the source code. Can't do that? Then you have to trust the
> author.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

Re: Port function and scanning

NoSpam wrote:
> "Ansgar -59cobalt- Wiechers" wrote:
>> NoSpam wrote:
>>> Great suggestion, BUT how can one be sure that the software is safe?
>>
>> You read the source code. Can't do that? Then you have to trust the
>> author.
>
> Great suggestion to read the source code to remove doubts but not very
> practical. Consider the time it takes, the different kinds of computer
> languages and versions, the subroutines involved!
>
> It is best to offer practical suggestions!

Which part of "then you have to trust the author" did you fail to
understand? You don't have any other option.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Port function and scanning

Dear Volker,

Thank you for your very practical suggestion regarding the netstat
commands. I am already using them but I do not understand the impli-
cations.

The netstat command offers seven arguments. These are:
-a, -e, -n, -p proto, -r, -s, interval.
Of these [-a] offers to "display all connections and listening ports".
Sounds
great for what I want to do. The way I understand the sentence in quotes
is, that it reports the state of the system at the moment netstat -a is
executed.
Do the ports reported include all potentially open ports are just the ones
cur-
rently open? If the answer to this question is yes, it does not tell me all
I need to know about the security of my system. I think that nmap tells
queries all ports and determines their state..

I would appreciate a clarification of this issue...

Thank you

GR.


"Volker Birk" wrote in message
news:467f7414@news.uni-ulm.de...
> NoSpam wrote:
> > I am not familiar with programming and related tasks.
>
> To understand, that a port just is a maintainance number, and what it's
> for, it could be a good idea to change that a little bit.
>
> > A Symantec scan has recently shown that all my parts are secure, except
> > the "ping" port, whatever that means.
>
> It means nonsense. There is no such thing like a "ping port". Why I'm
> not surprised to find horseplay in a Symantec's text? ;-)
>
> > Your advice to use nmap seems to be a good one and I would like
> > to use it. There is however a learning curve involved. Before I climb
> > it, I would like to make sure nmap will serve my purpose. I have a
> > stand alone PC connected to the net through an ISP. Can I use such
> > a configuration to scan my own ports?
>
> In such a configuration, you don't need any port scanner at all. Just
> use the netstat command to determine, which ports are used by which
> processes.
>
> Yours,
> VB.
> --
> "Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
> geschützt wird, die seinem Ziel und seinem Geist zuwider sind."
>
> Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Port function and scanning

NoSpam wrote:

> Dear Sebastian,
>
> It is your messages I would be inclined to distrust most.
> My reasons are:
>
> First of all your composition is faulty. One never knows who you are
> addressing or just what you are saying.


Hm? A reply typically addressed the quoted statement, what else?

> Secondly you rely upon personal insults


What the...? I have never been insulting to anyone (except when very
obviously for obvious reasons). Are you twisting this with honesty and
directness? Consider that it's not wrong to tell someone that he's doing
something very stupid.

> Thirdly, you never come up with anything remotely useful, but limit
> yourself to declare almost everything which somebody else thinks
> is of value as worthless.


Well, if you want useful advice, then ASK. So far typical questions are
limited to "how do I make this crap not do anything crappy" or even worse
"how do I make that crap do something stupid". The first step is to tell you
that it's crap. The next step would be understanding what the real problem
is, and then offering an appropriate solution.

Be honest: Your problem are not TCP/IP ports.

> I think the best use for your diatribes is to read them for entertain-
> ment rather than for serious consideration.


Which is utterly stupid, because they're very serious advice.


Oh, and could you please stop your stupid bottom full-quoting? Also, why
does it seem that you're abusing Outlook Express as a newsreader?

Re: Port function and scanning

Post removed (X-No-Archive: yes)

Re: Port function and scanning

"NoSpam" schrieb
> Dear Sebastian,
>
> It is your messages I would be inclined to distrust most.
> My reasons are:
>
> First of all your composition is faulty. One never knows who you
> are
> addressing or just what you are saying.
>
> Secondly you rely upon personal insults and other offensive ways
> to
> display contempt for everything, particularly corporations, and
> you do
> not exempt individuals from your gall either.
>
> Thirdly, you never come up with anything remotely useful, but
> limit
> yourself to declare almost everything which somebody else thinks
> is of value as worthless.
>
> I think the best use for your diatribes is to read them for
> entertain-
> ment rather than for serious consideration.

Du hast vollkommen recht. Dieser eingebildete und selbstverliebte
Sebastian ist offensichtlich nicht in der Lage irgendwelche Lösungen
zu aufgeworfenen Problemen zu geben. Er betrachtet sich als
Supercrack, dabei stiftet er nur Verwirrung und versucht zudem die
Fragesteller als Idioten darzustellen und ihre Beiträge als Scheisse
zu qualifizieren. Seine Beiträge haben nicht mal Unterhaltungswert.
Er sollte sich von dieser Gruppe oder noch besser vom gesamten
usenet verabschieden zum Wohle aller, die darin eine Quelle für
mögliche Lösungen für ihre diesbezüglichen Probleme sehen.

You are absolutely right. Sebastian is obvioulsy not in a position
to provide any viable solution to problems posted. He sees himself
as a super crack, however, what he "contributes" is pure confusion.
Moreover this prig tries hard to let posters know that they are all
idiots, who know nothing and write only shit. His posts have not
even the slightest enteraiment value. He should disappear from this
group or for that matter from the usenet alltogether. Other users
can only benefit.

Musste mal gesagt werden
Andy

Re: Port function and scanning

Andy,

Danke für Deine Zuschrift. Du hast ins Schwarze getroffen.

Thanks for your post. You hit the mark!

GR.

"Andy Prelignat" wrote in message
news:90049$467ff685$544a47c6$32577@news.hispeed.ch...
> Du hast vollkommen recht. Dieser eingebildete und selbstverliebte
> Sebastian ist offensichtlich nicht in der Lage irgendwelche Lösungen
> zu aufgeworfenen Problemen zu geben. Er betrachtet sich als
> Supercrack, dabei stiftet er nur Verwirrung und versucht zudem die
> Fragesteller als Idioten darzustellen und ihre Beiträge als Scheisse
> zu qualifizieren. Seine Beiträge haben nicht mal Unterhaltungswert.
> Er sollte sich von dieser Gruppe oder noch besser vom gesamten
> usenet verabschieden zum Wohle aller, die darin eine Quelle für
> mögliche Lösungen für ihre diesbezüglichen Probleme sehen.
>
> You are absolutely right. Sebastian is obvioulsy not in a position
> to provide any viable solution to problems posted. He sees himself
> as a super crack, however, what he "contributes" is pure confusion.
> Moreover this prig tries hard to let posters know that they are all
> idiots, who know nothing and write only shit. His posts have not
> even the slightest enteraiment value. He should disappear from this
> group or for that matter from the usenet alltogether. Other users
> can only benefit.
>
> Musste mal gesagt werden
> Andy
>

Re: Port function and scanning

> Do the ports reported include all potentially open ports are just the ones
> cur-
> rently open?

Currently listening, connected, closing, etc.


> If the answer to this question is yes, it does not tell me all
> I need to know about the security of my system. I think that nmap tells
> queries all ports and determines their state..
>

You have to understand the different states a port can be in:

Listening or not listening (and some in between, but only temporarily).
What some firewalls call stealthed or filtered is something external to
the interface. E.g.: Paketfilters (hence the name!) are an additional
layer like a sieve in front of a system.

IFF the system is correctly configured and IFF the listening
applications have no bugs, then you do not need a firewall.

IFF the listening application has security relevant bugs, a filter will
not help, btw, if you expose the application to the net. If you want to
tackle that, you need ALG. Some of the "security" suites include such a
thing for example for pop (receiving mail). Proxies or reverse proxies
are ALG also.

Summary: "stealthing" a port just tells me, that there is something
interesting.

If I want to close a port, I stop the application listening on the port.
I use an external firewall to my windows systems. On Unix systems I
usually do not need an additional firewall (but I am a couple of years
behind the state of art here, I see a lot of Linux-distros incorporating
"personal firewalls").

> I would appreciate a clarification of this issue...

Have you had time to skim through "Firewalls and Internet Security:
Repelling the Wily Hacker". It is really easy to understand and ou just
need a couple of introductor pages.

Cheers,
Jens

Re: Port function and scanning

NoSpam wrote:
> Thank you for your very practical suggestion regarding the netstat
> commands. I am already using them but I do not understand the impli-
> cations.
> The netstat command offers seven arguments. These are:
> -a, -e, -n, -p proto, -r, -s, interval.
> Of these [-a] offers to "display all connections and listening ports".
> Sounds
> great for what I want to do. The way I understand the sentence in quotes
> is, that it reports the state of the system at the moment netstat -a is
> executed.
> Do the ports reported include all potentially open ports are just the ones
> cur-
> rently open?

There is no such thing like "potentially open ports".

A port is no door, no gate and no harbour. It's just a maintenance
number. To be clear, it's a 16bit ID.

One calls a port "open", if this maintanence number is used by a process.
One calls it "closed", if no process uses this number at this point of
time.

With the netstat utility you can view all local processes and what
ports they have open.

> I need to know about the security of my system. I think that nmap tells
> queries all ports and determines their state..

nmap is a port scanner. You can send network packets to network
interfaces with it, which implement parts of traffic of common network
protocols of the TCP/IP network protocol family. nmap does this waiting
for replied packets. Then a heuristic is implemented to determine,
wether a process on a remote machine is using the port on a network
interface or not.

The port concept is used by different network protocols. A port scanner
usually is used for TCP traffic, because there is an algorithm to
determine wether there is a process "listening" on the "port" (using a
socket or an XTI connection into the kernel with this maintenance
number). Port scanners are more seldomly used for UDP, because there is
no algorithm for this case for UDP. Sometimes it's used combined with
implementing higher level protocols for that case, because for some
protocols which are based on UDP there are algorithms or at least good
heuristics.

ICMP by contrast has no port concept at all. And any port scanning
system, which claims to implement "ICMP port scanning", is nonsense
(like the Symantec trash).

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Port function and scanning

Volker Birk wrote:


> The port concept is used by different network protocols. A port scanner
> usually is used for TCP traffic, because there is an algorithm to
> determine wether there is a process "listening" on the "port" (using a
> socket or an XTI connection into the kernel with this maintenance
> number). Port scanners are more seldomly used for UDP, because there is
> no algorithm for this case for UDP.


There is.
no reply -> open or filtered
ICMP Destination Unreachable :: Port Unreachable -> closed
UDP reply -> definitely open

> ICMP by contrast has no port concept at all. And any port scanning
> system, which claims to implement "ICMP port scanning", is nonsense
> (like the Symantec trash).

ICMP has message codes and subcodes, which are essentially similar to ports.
Still using the term "port" is, of course, wrong.

Re: Port function and scanning

Sebastian G. wrote:
> Volker Birk wrote:
> > The port concept is used by different network protocols. A port scanner
> > usually is used for TCP traffic, because there is an algorithm to
> > determine wether there is a process "listening" on the "port" (using a
> > socket or an XTI connection into the kernel with this maintenance
> > number). Port scanners are more seldomly used for UDP, because there is
> > no algorithm for this case for UDP.
> There is.
> no reply -> open or filtered

Wrong. No reply: open or closed.

From RC 792:
| The Internet Protocol is not designed to be absolutely reliable. The
| purpose of these control messages is to provide feedback about
| problems in the communication environment, not to make IP reliable.
| There are still no guarantees that a datagram will be delivered or a
| control message will be returned.

> ICMP has message codes and subcodes, which are essentially similar to ports.

No, they aren't. ICMP is a messaging protocol using IP packets, and the
message codes have nothing to do with a port concept.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Port function and scanning

Volker Birk wrote:


>>> number). Port scanners are more seldomly used for UDP, because there is
>>> no algorithm for this case for UDP.
>> There is.
>> no reply -> open or filtered
>
> Wrong. No reply: open or closed.


The Nmap documenation and the real world systems' behaviour tell something
different.

> From RC 792:
> | The Internet Protocol is not designed to be absolutely reliable. The
> | purpose of these control messages is to provide feedback about
> | problems in the communication environment, not to make IP reliable.
> | There are still no guarantees that a datagram will be delivered or a
> | control message will be returned.


Is that your argument of a misguided quote? Taking packet loss into account,
you couldn't differ between open, closed or filtered even for a TCP-SYN.

>> ICMP has message codes and subcodes, which are essentially similar to ports.
>
> No, they aren't. ICMP is a messaging protocol using IP packets, and the
> message codes have nothing to do with a port concept.

They aren't used directly for multiplexing, however this is done by
providing a part of the initial IP packet - which tells the host to which
packet the reply belongs.

Re: Port function and scanning

Sebastian G. wrote:
> Volker Birk wrote:
> >>> number). Port scanners are more seldomly used for UDP, because there is
> >>> no algorithm for this case for UDP.
> >> There is.
> >> no reply -> open or filtered
> > Wrong. No reply: open or closed.
> The Nmap documenation and the real world systems' behaviour tell something
> different.

That may be your view.

> > From RC 792:
> > | The Internet Protocol is not designed to be absolutely reliable. The
> > | purpose of these control messages is to provide feedback about
> > | problems in the communication environment, not to make IP reliable.
> > | There are still no guarantees that a datagram will be delivered or a
> > | control message will be returned.
> Is that your argument of a misguided quote?

I fear, you just don't understand.

> >> ICMP has message codes and subcodes, which are essentially similar to ports.
> > No, they aren't. ICMP is a messaging protocol using IP packets, and the
> > message codes have nothing to do with a port concept.
> They aren't used directly for multiplexing, however this is done by
> providing a part of the initial IP packet - which tells the host to which
> packet the reply belongs.

Strange view.

I cannot see any argument in your posting which persists.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Port function and scanning

Volker Birk wrote:


> I fear, you just don't understand.


Same for you. So once again: If an RFC-conformant TCP/IP stack receives an
UDP packet, it is supposed to reply with an ICMP Destination Unreachable
with subcode Port Unreachable. Your quote is absolutely unrelated to this
point, maybe you should rather cite RFC 768?

Re: Port function and scanning

Dear Volker,

Thank you for your straightforward explanation of ports in your
message of Tuesday, June26, 2007 11.40 AM. It was of great
help.

In the meantime I have ordered the new edition of Cheswick's book
"Firewalls and Internet Security" and I should shortly know more
about the subject.

Regarding the subsequent exchange of messages between you and
Sebastian I am sorry to say, that I had to disregard them all. I con-
sider Sebastian to be an uninformed and uninforming contributor.

Thank you
GR.

Re: Port function and scanning

"NoSpam" wrote in message
news:7yegi.10924$xy.718@trnddc06...

> I consider Sebastian to be an uninformed and uninforming contributor.
>
Well now, I wouldn't go that far. The dude maybe rude & crude but most
certainly *not* uninformed and may I add quite entertaining :)

Re: Port function and scanning

Kayman wrote:
> "NoSpam" wrote in message
> news:7yegi.10924$xy.718@trnddc06...
>
>> I consider Sebastian to be an uninformed and uninforming contributor.
>>
> Well now, I wouldn't go that far. The dude maybe rude & crude but most
> certainly *not* uninformed and may I add quite entertaining :)

Yup, Seb's our resident 'Mr Angry', though I believe I have spotted one
or two polite and helpful postings by him in the past. I love seeing
postings along the line of 'What's a good PFW', and waiting for his
predictable response!

Jim Ford

Re: Port function and scanning

Post removed (X-No-Archive: yes)