Detecting port scans — flags and fan-out

Overview

Two angles: classify TCP flag signatures (SYN/NULL/FIN/XMAS) and count distinct-port fan-out per source IP.

Why it matters

Combining packet-level and behavioural signals is how real scan detectors avoid both false negatives and false positives.

Lesson

Why this matters

Port scans leave two kinds of evidence: packet-level (unusual TCP flag combinations) and behavioural (one source touching many ports fast). A detector reads both.

Flag signatures (TCP flags byte, low 6 bits)

Normal traffic always has ACK set (e.g. a SYN-ACK is 0x12), so it never matches a scan signature.

Behavioural signature: fan-out

Tally distinct destination ports per source IP. A source over a threshold (say, >10 ports in a short window) is almost certainly scanning. Repeated hits to the same port don't count — it's the spread that matters.

Your job (two exercises)

• tcp_scan_type(...) — classify a single header's flag byte.
• count_scanners(...) — count source IPs whose distinct-port fan-out exceeds a threshold, from a static connection log.

What this is NOT

• A live scanner or sniffer — all inputs are static fixtures.

Summary

Mask the flags byte to spot scan types; tally distinct ports per IP to spot fan-out.

Practice with these exercises

• Classify a TCP scan from its flag byte
• Detect port scanners in a connection log
• Classify an ARP frame