Skip to content

Port vs Service

Shodan crawlers collect banners that describe services - not just open ports. This is a small but important distinction. A service means that there is an open port and some indication that an actual service is running behind that port. Many firewalls or honeypots will pretend to have open ports by responding with a TCP SYN+ACK even though there isn’t a service running behind the port.

This difference is important as it otherwise introduces a significant number of false positives. For example, if you scan the Internet for Modbus (502/tcp) then you will see more than a million open ports. However, if you actually speak with those ports then only a handful of them are running a service.