0

I am trying to write a small script in Python 2.7 using "dpkt" wrapper library to parse the sample PCAP file.

I did write successfully specific checks for the NULL scans such as if seq = 0 and flags not set, but how do I do that for the half-open scan attempts?

I tried to do something like : if SYN and RST flags are set print "Half-open" scan detected

But the above logic is not picking up the connections from the example PCAP file with half-open connections.

Are there any additional checks I need to do?

user629034
  • 659
  • 2
  • 11
  • 30

1 Answers1

0

The difference between a regular TCP handshake and the typical "half-open" TCP connection workflow (typically used for monitoring and load balancing) is this:

Normal
------
Client ---SYN---> Server
Client <-SYN,ACK- Server
Client ---ACK---> Server

Half-Open
---------
Client ---SYN---> Server
Client <-SYN,ACK- Server
Client ---RST---> Server

So you see it's only the last Client-to-Server packet that's different. You won't find a single packet that identifies a half-open. You'll need to look for a flow/sequence/conversation (whatever you want to call it) that looks like the half-open I describe and typically happens very quickly (ideally within a few millis if everything's working correctly).

marklap
  • 471
  • 4
  • 15