When I wanted to learn more about networks, I started to write
a simple port scanner. Goal was to follow unix-way, so I implemened it
as a program that gets list of hosts as it's arguments and output
table of ports in the format similar to unix `ls` program.
Now I have implemented connect scan and some low-level scan types like
SYN scan, FIN scan etc. In fact low-level scan types are handled by
one function and some wrappers for it.
Cause it was usable, I decided to continue developing it. After I
compared my program to nmap and others I decided to implement such
things as retransmission of lost packets and dynamic timeout. Now I
have implemented retransmission for connect scan and almost finished
retransmission for low-level scan function. But that way code of scan
functions is getting bloated and I see no way to divide it into set of small
reusable functions: they all depend on the same structures like list of
connections, list of timed out connections that are waiting for
restarting and other things like this. Of course I have divided it
into functions, but they are not reusable.
I want to make a really useful program, cause currently available
solutions are already bloated. When port scanning part will be
finished I will implement other feautures like host discovery as
separate programs so it can be used like this:
discover 192.168.1.1/24 | xargs portscan -p1-1024 | awk '$2!="closed"{print $0}'
That way it will be possible to add filters between different stages of
network scanning without embedded scripting languages.
Now I think: should I implement retransmission in simple port scanner?
Maybe it is better for simple program to just output state of port as
"unknown" if it didn't recieve any response, so user can filter output
and restart scan for these ports? What good unix programs (for example
hget from Plan 9) do when they can't connect at the first try? Can you
give me some examples?
And what about dynamic timeouts? Is there any good algorithm to
implement them or it is going to be heuristic? What value to choose
for initial timeout so it would not me a "magic number", for example?
