TCP SYN scanning is often called a half-open scan because the scanner does not complete a full connection. Instead, it sends a SYN packet and interprets the response.
Core packet logic
SYN/ACKusually indicates an open port.RSTusually indicates a closed port.- No response or ICMP errors can suggest filtering.
Why this matters
This technique is important because it reduces noise compared with a full TCP connect while still revealing useful information about reachable services.
int sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
/* build and send SYN packet, then inspect reply flags */
From a defensive perspective, repeated SYN probes across many ports or hosts can be a clear early signal of reconnaissance.