port scan detector

joeserhal's Avatar, Join Date: Feb 2008
Go4Expert Member
Hi there,
I'm currently working on a PROJECT (so it can be clear) regarding port scan detection. I have written a code which is able to read all packets arriving on the device, and extract necessary information such as source & destination addresses, destination port, protocol used... Having done this, I have no idea how to proceed next regarding the actual the detection of a port scan...
I have some questions regarding this:

1) How can I know if a port being scanned is "open" or not (if the port is closed, and someone sends a packet/request to that port, doesn't it imply that it's an attack??)
2) Also, when I receive the packets, and I want to do a real-time/ live detection, should I only read the info in the packets and then determine whether it is an attack and discard after that the packet, OR do I have to store the packets in someway in order to use them later for the detection??

Can anybody provide with some info regarding this...I really need some help as I do not know how to proceed from this current point?!

Thanks
0
0
joeserhal's Avatar, Join Date: Feb 2008
Go4Expert Member
Do you know how I can modify the attached file to determine/print the values of the flags in the TCP header (I'm talking about the FYN, SYN, RST, ACK....flags) when I receive the packets??

Last edited by shabbir; 17Apr2008 at 12:40.. Reason: Attachment removed.