Hi there, I'm currently working on a PROJECT (so it can be clear) regarding port scan detection. I have written a code which is able to read all packets arriving on the device, and extract necessary information such as source & destination addresses, destination port, protocol used... Having done this, I have no idea how to proceed next regarding the actual the detection of a port scan... I have some questions regarding this: 1) How can I know if a port being scanned is "open" or not (if the port is closed, and someone sends a packet/request to that port, doesn't it imply that it's an attack??) 2) Also, when I receive the packets, and I want to do a real-time/ live detection, should I only read the info in the packets and then determine whether it is an attack and discard after that the packet, OR do I have to store the packets in someway in order to use them later for the detection?? Can anybody provide with some info regarding this...I really need some help as I do not know how to proceed from this current point?! Thanks
Do you know how I can modify the attached file to determine/print the values of the flags in the TCP header (I'm talking about the FYN, SYN, RST, ACK....flags) when I receive the packets??