Essential NetTools Help Documentation

Prev Page Next Page


PortScan is a TCP scanner, a tool that detects if certain TCP ports are open and can accept connections. TCP scanners are usually used for checking if the remote computer runs services (e.g. Telnet or FTP), as well as for security analysis. A port scan includes sending data to the user-defined list of ports and interpreting the response received to identify whether the ports are open.


Information for Windows XP SP2 and Vista Users

Windows XP Service Pack 2 and newer Windows versions limit the number of simultaneous incomplete outbound TCP connections to 10 per application. Upon reaching this limit, subsequent connection attempts are placed in a queue to be resolved at a fixed rate. This may significantly slow down an application that makes a large number of connection attempts. An example of such an application is Essential NetTools in port scanning mode (the PortScan tool).

Presently, no legitimate, official workarounds are available for this problem. There is, however, an unofficial patch that modifies the system files and removes this limitation. If you are running Windows XP Service Pack 2 and are dissatisfied with the PortScan speed or results quality (i.e. many open ports may remain undetected), you may try to install one of the unofficial patches available at http://www.lvllord.de/ . Warning: This patch can only be applied to Windows XP Service Pack 2. This patch is not supported by Microsoft.

Additionally, Windows XP Service Pack 2 and newer Windows versions removed support for raw sockets, making the Stealth scanning mode in the PortScan tool impossible. No unofficial patches are known at this time.

Before you start scanning, you should enter the starting and ending IP addresses in the Starting IP and Ending IP fields as shown above. You may also want to specify the number of simultaneous connections and the connection timeout in the Tasks and Timeout fields. Then you should select the scanning mode: Conventional or Stealth. In the conventional mode, a TCP connection is established between your computer and the computer you're scanning. In the stealth mode, the connection is initiated, but not finalized. This scanning technique is also know as half-open or SYN scanning: The program sends a SYN packet (as if we are going to open a connection) to the target host, and the target host responds with a SYN ACK (this indicates the port is listening) or RST ACK (this indicates the port is not listening) packet. Stealth scans cannot be logged by the target host on the TCP level, although they can be logged by the intrusions detection systems (IDS) working on the packet level. You may find this mode useful when testing the configuration and efficiency of your LAN's IDS. The stealth mode is available only under Windows 2000/XP, requires administrative privileges, and cannot be used to scan your own IP address (to scan your own IP address, use the conventional mode or just look at the NetStat tool to see the list of open ports). Also, please note that running firewall software (including the built-in Windows XP firewall) on your computer may affect the scanning results in the stealth mode; therefore, it is recommended to temporarily disable such software during the scanning process.

Finally, you should select the list of ports to be probed. The Standard list includes the following ports: 7, 9, 11, 13, 17, 19, 21, 23, 25, 43, 53, 70, 79, 80, 88, 110, 111, 113, 119, 135, 139, 143, 389, 443, 445, 512, 513, 1080, 1512, 3128, 6667, and 8080. If you'd like to use a custom list, you can select the Specified ports option and enter your own list. The syntax for entering ports is simple: you can either enter individual ports or port ranges, and you must separate these entries with commas. Below you can find a few examples of valid port lists:


1-30, 80, 443

21, 22, 25, 80-88, 1000-1024, 6666

When all the options are set, click Start to start scanning. The scanning speed can be modified by selecting Settings => Options in the program menu (see Options for details).

During the scanning process the information about the ports is being added to the list. The Open Ports column lists the TCP ports that accepted the connection. The No. of Closed Ports column displays the number of ports that rejected connections, while the No. of Silent Ports column displays the number of ports that ignored connections attempts. In the conventional mode, the last two columns don't display these numbers, because this mode can only detect open ports, but cannot distinguish between closed and silent ports. In other words, in the conventional mode, all the ports that are not open are considered closed. In the stealth mode, the ports that replied with an RST ACK packet are considered closed, while those ports that completely ignored our SYN packets are considered silent, which may indicate that they are protected by a firewall.

Right-clicking on a listed computer brings up a menu with the following commands:

· Full port list – displays the complete list of open, closed, and silent ports. Since the ports lists are normally very long, this command is useful for displaying such long lists.
· Copy IP Address – copies the selected computer's IP address to the clipboard.
· Send To – sends the selected IP address to other tools or to SmartWhois.
· Copy Results – copies the PortScan table to the clipboard.
· Save – saves the PortScan table to a file.