Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Summary of TCP services on your network InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Summary of TCP services on your network

Published: 2007-06-21
Last Updated: 2007-06-22 14:45:28 UTC
by William Stearns (Version: 2)
0 comment(s)

One of my colleagues asked for a simple way to see what services are live on a given network, in preparation, I suppose, for setting up a firewall.  Here's what I recommended as a quick and easy way to map both local tcp services and outgoing connections.

First, at your perimeter or on some internal router, capture all the tcp packets with both the SYN and ACK flags set.  As a general rule, there will be one of these for every connection established between a client and server.  Yes, this approach can have false negatives and false positives - see the body of the script below - but it's pretty close to reality.  On Windows, install winpcap and run windump like this:

windump -D

to find the number of the network interface leading toward the Internet.  Then run:

windump -i {interfacenum} -tnp -w c:\synacks.pcap "tcp[13] & 0x12 = 0x12"

On unixes, use:

"route -n" or "netstat -rn" or "netstat -rnf inet"

to see the available interfaces, and run:

tcpdump -i {interface} -tnp -w /root/synacks.pcap 'tcp[13] & 0x12 = 0x12'

Let that run for a little while, then summarize the connections with synack-summary from:

Download this script.  It should run fine on unixes or in the cygwin window on windows systems (see

You'll probably want to customize it a little.  Change the following lines to reflect any internal IP addresses for your network (feel free to remove or add lines):

-e 's/ \(12\.13\.14\.137\) / knownip\1 /' \
-e 's/ \(12\.13\.15\.1[6-9][0-9]\) / knownip\1 /' \

Also, give names to your systems.  If you have multiple machines all serving the same purpose, you can call them all "www" or "mail"; the names don't have to match the dns or netbios names.  Edit this block:

-e 's/ 12\.13\.14\.137 / dumbo /' \
-e 's/ 12\.13\.15\.162 / goofy /' \
-e 's/ 12\.13\.15\.163 / minnie /' \
-e 's/ 12\.13\.15\.166 / pluto /' \

If you're running this on the machine capturing the packets, run:

synack-summary /root/synacks.pcap | uniq -c | less

If the packets are being captured on another system, run this:

ssh root@router 'cat /root/synacks.pcap' | synack-summary - | uniq -c | less

Here's a sample of the lines you'll see:

     62 _               minnie                http
   2496 _               pluto                  ssh
   9179 _               pluto                rsync
    324 dumbo           _                     smtp
     10 goofy           _                     http
     21 minnie          _                     http

An underscore is a remote system.  The first column is the count, second is the client machine for outbound connections, the third is the server machine for local servers, and the 4th is the protocol.  Unknown ports will show up as "up:portnum" - if you see these, add a line to the script with the port name you want to use (see the block with "-e 's/ 21 $/ ftp /' \").

In this example, minnie and pluto are running http, ssh, and rsync servers, and dumbo, goofy and minnie make outbound smtp and http connections.

I'll bet you'll be surprised by some of the servers you find.  :-)

-- William Stearns,

0 comment(s)
Diary Archives