Port scanning originated in the process of querying a computer's TCP/IP stack for open ports. (Ports are reserved and numbered communications channels on which applications listen for requests.) For example, an HTTP request to a Web server will typically go to TCP port 80. However, the same port number might be associated with both TCP and UDP requests. For example, UDP port 53 handles DNS name resolution, but TCP port 53 handles DNS zone transfers. Note that these requests use the same port number (i.e., 53) but different communications channels. The port scanner sends the host a specially designed packet to determine the state of a port (open, closed, or other). Whether and how the host responds will tell the port scanner the port's state.

Modern firewalls and routers might detect these special packets, identify them as port scans, and block them to keep them from reaching their intended host. Current versions of port scanners can construct different types of packets to sneak past these blocking devices. TCP full connect, Stealth Scan, XMAS Scan, and half scan are different types of scans designed to reach and accurately identify the state of a port on a remote host. Nmap requires a separate packet-capture driver, the Windows packet-capture library (WinPcap) packet-filter driver, which other packet-sniffing applications commonly use to create the packets for these different types of scans. (Packet sniffing is the act of listening to all network traffic that passes to or around a specific host.)

Unlike packet sniffing, port scanning actively queries a remote host. Whereas a packet sniffer might tell you that DNS name-resolution traffic is on the network and give you its origin and destination, a port scanner will tell you whether an application running on the host is listening for DNS name-resolution traffic. Even better, port scanning can identify all the hosts on your network on which applications are listening for DNS name-resolution traffic.

You can use port-scanning applications (e.g., Nmap) and techniques with other reporting tools such as Microsoft Excel to construct an accurate map of the open communications channels on your servers and workstations.