oreilly.comSafari Books Online.Conferences.


Network Scanning

by Chris Coleman

By design, the Internet is made up of clients and servers. The client needs the information, and the server has it. An Internet server is made up of several services that can all accept requests from clients and deliver requested data. Web and e-mail are popular examples of these types of services; however, there are many others such as telnet, time, and SSh.

While all of the services live at the same host address, each service has a unique identifier on the server called a "port." The port is a number from 1 thru 65535 and many of the ports are registered. The file /etc/services contains a list of the well-known ports. I pulled this bit of info from it:

  • The Well-Known Ports are those from 0 through 1023.
  • The Registered Ports are those from 1024 through 49151
  • The Dynamic and/or Private Ports are those from 49152 through 65535

Each service is handled by a program called a "daemon." The daemon listens on, or is bound to, a specific port to receive incoming requests from clients. When a request comes to the server, it is routed to the port requested and the daemon listening on that port sends back the reply.

Desktop Unix systems, and now Microsoft systems, come with several of these services turned on by default. Hackers have utilities that allow them to scan a server and discover which ports have daemons listening on them. Many Internet daemons, and especially IIS servers, have security vulnerabilities that can allow hackers to gain control of your computer.

If your workstation has services running, even if you are unaware of them, hackers can still find them and possibly use them against you. It has been a long-standing rule for Unix system administrators to turn off any services that aren't in use. However many of us aren't sysadmins, and don't think to check this on our personal workstations.

Related Reading

Incident ResponseIncident Response
By Kenneth R. van Wyk & Richard Forno
Table of Contents
Sample Chapter
Full Description
Read Online -- Safari

Hackers have access to utilities to scan your servers, but so do you. We know that hackers are scanning our servers for open ports. We can scan our servers first, and know what the hackers will see and close any ports that shouldn't be open. The two tools we need are nmap and ethereal.

nmap is a utility that scans a particular server and informs us which ports are open. ethereal is a utility that will scan network traffic and help us decode what is going on. We can watch our network traffic and find out if hackers can see anything that will help them break into our systems.

Both utilities are used by hackers to see what is going on in your network. Here are some articles we have published on using nmap and ethereal.

Ethereal and NMap -- This is the first in a series of excerpts from Chapter 7 of Incident Response, covering the nmap port scanner and the Ethereal network scanner.

Scanning Your Network -- Dru Lavigne shows us how to use nmap, a port scanning utility, to secure Unix servers and workstations.

Using Ethereal -- Wondering what's going on with your network? Dru explains how to use Ethereal, a graphical network monitoring package that is easy to use and understand. Learn how to capture packets and monitor network traffic.

Linux Tools For Network Analysis -- Spector finds two tools for watching traffic: Ethereal and Netwatch.

Tools of the Trade: Part 1 -- In this first of a three-part series, Carl Constantine covers tools and techniques that system administrators can use to protect their networks, including discussion of nmap, Ethereal, and how to set up honey pots.

Linux for Security Applications -- David Spector explains basic Firewall and network security techniques. He also lists the basic tools that can be used, such as NMAP and IP Chains.

Chris Coleman is the Open Source Editor for the O'Reilly Network and is actively involved with community projects such as and Daemon News.

Return to

Sponsored by: