python - 关于ACK标志位的TCP端口扫描的疑惑？

Question

书上说ACK扫描，如果对方端口是开放的，返回的RST报文TTL应该小于等于64，而大于则表示不开放。

但是我在Kail上分别对同一个C段的两台机器进行扫描时发现：

对windows主机的一个开放端口(80)扫描，得到的RST报文的TTL=128，window=32767，对一关闭的端口(11987)扫描，得到的RST报文的TTL=128，window=32767

对Linux主机(Ubuntu 16.04)的一个开放端口(22)扫描，得到的RST报文的TTL=64，window=0，对一关闭端口(12339)扫描，得到的RST报文的TTL=64，window=0

请问何解？

Answer 1

It is not that less than or equal to 64 equals an open port. It sends ACK packets to a bunch of ports on a machine at the same time. If the TTL in the RST returned by a certain port is obviously smaller than others, it means that this port may be open.
As for the case of 128/64, it is because the default TTL values ​​of *nix and windows are different. Generally speaking, it can be considered that the default TTL value of *nix is ​​64 and that of windows is 128. (There will be differences depending on different system/kernel versions)