cybersecurity · intermediate · ~12 min · safe pentest lab

Classify a TCP scan from its flag byte

Recognise scan signatures from a single bitfield.

Challenge

Your job

#include <stdint.h>
#include <stddef.h>
int tcp_scan_type(const uint8_t *tcphdr, size_t n);

The TCP flags live in byte 13 (low 6 bits: FIN=0x01, SYN=0x02, RST=0x04, PSH=0x08, ACK=0x10, URG=0x20). Return:

1 SYN scan (SYN only, 0x02)
2 NULL scan (no flags, 0x00)
3 FIN scan (FIN only, 0x01)
4 XMAS scan (FIN+PSH+URG, 0x29)
0 anything else (e.g. a normal SYN-ACK)
-1 NULL input or n < 14

Hints

Mask the flags byte with 0x3F to drop the reserved bits.
Compare against the four scan signatures.

Why this matters

SYN / NULL / FIN / XMAS scans each leave a tell-tale flag combination. Recognising them is how a detector classifies probe traffic.

Starter code

#include <stdint.h>
#include <stddef.h>
int tcp_scan_type(const uint8_t *tcphdr, size_t n) {
    /* TODO */
    (void)tcphdr; (void)n;
    return -1;
}

Common mistakes

Not masking reserved bits. Treating SYN-ACK as a SYN scan.

Edge cases to handle

NULL scan is genuinely zero flags. Short header.

Complexity

O(1).

Background lessons

Detecting port scans — flags and fan-out

Up next

Detect port scanners in a connection log

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.