No announcement yet.

Detecting a knock on a closed TCP port

  • Filter
  • Time
  • Show
Clear All
new posts

  • Detecting a knock on a closed TCP port

    I'm sure most of us have used (or at least understand) a port scanner. A port scanner such as nmap can find all the open ports on a remote system.

    So far, so good.

    But I'm thinking of this in reverse. Suppose there is an 'agent' out there on our network. Maybe he's a good actor, or a bad actor; we don't know. But he is running a port scanner against our local machine. Perhaps he's looking for vulnerabilities in our system.

    Let's say he scans many TCP ports, but I'll pick one at random: 1503. It was used by Windows Live Messenger. But on our local machine, we don't use Live Messenger and we've closed TCP port 1503.

    My question: how can we detect that someone 'knocked' on TCP port 1503? Is there a Windows service or command line that can generate reports? More interestingly, is there a PB/CC solution? I've used pretty much every feature of TCP in PowerBasic, but only for open ports. It never occurred to me to try to work with closed ports.

    Any ideas?
    Christopher P. Becker
    signal engineer in the defense industry
    Abu Dhabi, United Arab Emirates

  • #2
    If the port is not opened, you will never detect anything from inside the port. Nothing is listening to it.
    I suppose you could monitor all network traffic from one location using packet sniffing and watch for packets addressed to that port on any machine.

    Something like this?
    Which applications use the most bandwidth? How much traffic flows through your network? ➤ Try the Packet Sniffing Software PRTG for free and find out!


    • #3
      You could have a "honey pot" thing... Open ports to listen for incoming connection requests. Then when someone "knocks" you can decide what to do. You could answer and say "we gave at the office" for example.

      Ask if you want me to show you how....