When dealing with network scanning on the Internet or any similar Local Area Network (LAN) the protocol used is TCP/IP. Transport Control Protocol/Internet Protocol (TCP/IP) is the protocol used when communicating on the network. For network scanning using NMAP you need to understand TCP/IP to understand what is occurring. To see specific detailed information about the information being sent over the network use Wireshark. Wireshark is a program found at https://www.wireshark.org/ and is a network protocol analyzer. For Debian systems run in a terminal 'sudo apt-get install wireshark'. For Red Hat systems run in a terminal 'yum install wireshark-gnome'. The program shows the information on the network in a list form with coloring rules for specific type packets. The packet types depend on the layer of the TCP/IP Reference Model. TCP/IP Reference Model The TCP/IP Reference Model is made up of four layers. The bottom layer is the Link Layer where the system is connected to a physical media for transmission. The physical media can be a wire or WiFi. The next layer up is the Internet Layer. The second layer from the top is the Transport Layer. The top layer is the Application Layer. This is where the applications interact with the network files and services. Each layer has its own way of dealing with information and being able to send and receive data from the layer next to it. Packet Types and TCP/IP Reference Layers Data is sent between systems as bits. The bits are either off (0) or on (1). The bits are binary. Eight bits make a byte. Packets are a bundle of bits ranging from 7 to 65,542 bytes. The packets are sent along the cabling or WiFi and accepted by the appropriate machine. Each machine can receive all packets sent from every computer on the network. It is possible for some packets to be limited from a network if the receiving system is not present on that network. The bits are received at the bottom of the Reference Layers. The Layer is called the Link Layer. The Link Layer consists of the Network Interface Card (NIC) and its driver. When data is being sent to the network it is taken from the PC and transferred to the network cable or WiFi. When data is received it is brought from the network cable or WiFi and brought into the computer. On this layer is the 'frame'. Data being sent to the network is received from the next layer up and placed into the payload area in a 'frame'. Data from the network is received and the payload is removed from the 'frame' and sent to the next upper layer. The NIC has a burned-in number known as the Media Access Control (MAC) Address. The MAC Address is used to allow a receiving PC to determine if the packet is destined for it. The next upper layer is called the Internet Layer. The Internet Layer is used to 'route' data between networks. Here is where the IP Address is determined and matched to a MAC Address. The Address Resolution Protocol (ARP) is used to match IP Addresses and MAC Addresses. Any resolutions made are stored temporarily in the ARP Cache. The ARP Cache can be viewed with the terminal command 'arp'. The Internet Layer is made up of the Internet (IP) Protocol, ARP, Internet Message Control Protocol (ICMP) and the like. ICMP is very important to many of the scans used by NMAP. The Protocol causes messages to be sent when something occurs on the network which requires a positive or negative response. ICMP will be covered more later in the article. The second layer from the top is the Transport Layer. The Transport Layer is made up of the Transport Control Protocol (TCP) and User Datagram Protocol (UDP). TCP establishes a connection between two systems and causes the sending and receiving of data to be verified when received by the system it is intended. UDP is used by systems which do not require all data to be received at the intended system. For example, when viewing videos on the Internet all packets being sent do not all need to be received. Whereas with TCP, when a person downloads a file all information must be received so the file is complete and intact. More will be covered about this in the section 'TCP/IP Internal Protocols'. Packets sent from TCP are termed 'Segments' while packets from UDP and IP are termed 'Datagrams'. For TCP connections to be made between two systems there is what is called a three-way handshake. The three steps in the handshake are: The first system sends a segment to the second system requesting to SYNchronize (SYN) communications. The Segment contains the first system's Initial Sequence Number (ISN) and Port Number. The second system responds to the segment with its own ISN including an acknowledgment (ACK) of the SYN request with its own SYN and the first system's initial ISN plus 1. The first system responds with an acknowledgment (ACK) segment of the second system's ISN plus 1 and communications are linked. Once the handshake is completely carried out, then communications beween the two systems can be continued. NOTE: The ACK is one of six TCP Control Bits. The six Control Bits are: SYN – used to Synchronize communications between two systems RST – causes communications to be Restarted ACK – acknowledgement receipt of request FIN – finishes communications from one system, but still listens for more requests PSH – pushes data to the application because no more data is being sent URG – urgent data is contained in the packet and some or all should be managed as such by the requesting application The SYN, ACK and RST are the main control bits used in most communications. The SYN and ACK are used during the three-way handshake and can bee seen in a Wireshark scan in Figure 1. FIGURE 1 On line 1 the system with IP Address 10.0.0.1 sent a request to 10.0.0.2. It was a SYN packet to start synchronizing communications. Line 2 shows a response from 10.0.0.2 back to 10.0.0.1 which was a SYN and ACK of the other SYN. The final response is from 10.0.0.1 acknowledging (ACK) the SYN request. The top layer of the Reference Model is the Application Layer. Here the system applications can access files and services on the network. For example, a document editor can open a file on another computer and the user can view that document. Some Application Layer programs are the File Transfer Protocol (FTP) program, HyperText Transfer Protocol (HTTP) programs and the like. Putting It All Together As data is sent from the Application Layer, such as a request from a web browser to access LinuxForum.com, a string of necessary characters is generated for making the request. The string of characters is meant for the web server on the Internet. The string is the 'payload' and is placed inside a longer string of data which has the information about the port numbers to use. Port number 80 is the default for HTTP. The data is sent to the Transport Layer where it is managed by TCP. TCP is used because a connection must be set up between the local system and the Internet web server. The data is taken from the Application Layer and the Transport Layer adds its own information making a 'segment'. The data from the Application Layer is treated as the 'payload'. The 'segment' is then sent to the Internet Layer. Here the data is treated as the 'payload' and more information is added to the string making a 'packet'. Information is added to the packet to include the IP Address (98,124.199.63) of LinuxForum.com. The 'packet' is sent to the Link Layer where the data is considered the 'payload'. More data is added such as the local MAC Address. Once the packet is prepared it is sent to the physical media and transferred to the web server on the Internet. At the web server the data is received from the physical media. The Link Layer checks the information added by the other Link Layer and stores this information, such as IP address and MAC address in ARP. The 'payload' is then removed and sent to the Internet Layer. Again the 'payload' removed and other information added by the other Internet Layer is examined. The 'payload' is sent to the Transport Layer. The Transport Layer removes the 'payload' and also the information added on by the other Transport Layer. It checks the Port number and can tell it is destined for the HTTP service. The 'payload' is sent to the HTTP Service which is then examined by the service. The service responds with the information to display the web page in a series of packets which are sent back using the same process. At the user's system the 'payload' is sent up the Layers until the Web Browser receives the necessary information and can display the requested web page. This process is a basic overview and there are more details here. Packets can be lost on the Internet and must be requested to be sent again. Packets can arrive out of order and must be placed back in the appropriate order. Be aware that depending on what service or program is being used will determine the type of protocol used. TCP/IP Internal Protocols There are four parts of TCP/IP used by NMAP. These four items are: Internet Protocol (IP) – connectionless protocol to handle the sending of Datagrams from one network to another Transmission Control Protocol (TCP) – manages reliable transmission of data from Source to Target system (connection oriented) User Datagram Protocol (UDP) – manages transmission of data from Source to Target system (connectionless oriented) Internet Control Message Protocol (ICMP) – protocol used by IP to send messages between systems about network traffic, lost packets, etc. The main thing to remember here is that there are two main types to consider. Connection and Connectionless oriented. Connection oriented are used when all packets must be received and a three-way handshake is used to start communications. Examples are file transfer, web page request, etc. Connectionless oriented transfers are those which all packets are not necessary to be received and therefore a three-way handshake is not used. Examples include streaming videos or music. Port Scans NMAP uses the above procedures to perform Port Scans. When NMAP is to perform a Port Scan on a system which is not on the local network (on the Internet), it performs the following four steps: executes a Domain Name System (DNS) Lookup (finds the IP Address of the Domain Name, such as LinuxForum.com) pings IP Address found from the DNS lookup a Reverse DNS Lookup is performed which can provide extra information about the system designated to be scanned performs the specified Port scan To find if local system is on-line NMAP performs a two step process. The two processes are: performs an ARP Request for the IP Address to get the MAC Address performs the specified Port scan A Port Scan is performed by starting a Three-Way Handshake. NMAP does not perform a complete Handshake, but obtains enough information to know which Ports are open. The Handshake is managed as follows: SYN – sent from the first system to the second to begin communication negotiations SYN/ACK – second system sends SYN and ACK to first to accept communications between the two systems over the network RST – first system sends a RST to second system to stop the Handshake process and ends communications When a Three-Way Handshake is started, the first system uses the IP, MAC and Port Addresses of the second system to send the request to the second system. If the second system is accepting requests on the designated Port number it will respond with the SYN and ACK control bits as discussed before. At this point the first system running NMAP knows that the second system has the specified Port open. Hopefully this article will give you a basic understanding of what is happening with TCP/IP on a network and the Internet. There is a lot of information dealing with TCP/IP so do not be discouraged.