I was asked this question in an interview: "What is a port sweep?"
When I replied with port scan he said that my answer was not a scan, it was a port sweep. I googled and found "tcp sweep: but not "port sweep".
Can anybody help me with this?
I was asked this question in an interview: "What is a port sweep?"
When I replied with port scan he said that my answer was not a scan, it was a port sweep. I googled and found "tcp sweep: but not "port sweep".
Can anybody help me with this?
This answer is 64.7% opinion.
TL;DR: A port sweep looks for specific port(s) across multiple hosts. A port scan enumerates any ports to be found on one or more hosts.
Some people use "port sweep" to describe a port scan that is focused on a specific port across a wide number of hosts, rather than on determining the open ports for some number of hosts.
An example: imagine a new PostgreSQL flaw is found which permits compromise via the network listener. You will quickly see scans, some of them Internet-wide, testing port 5432/tcp and nothing else. This is a port sweep - a broad "sweeping" scan, targeted tightly to finding a vulnerable service, anywhere it can be found.
A sweep is not limited to one port. Let's say that a flaw was exposed that impacted PostgreSQL and MySQL equally; you will see scans which hit both 3306/tcp and 5432/tcp, but nothing else. However, the fact that it's focused on finding a discrete number of specific issue-related ports makes it a sweep.
Finally, a "sweep" may be used as a host detection method. You can sweep for limited "likely" ports (80/tcp, 443/tcp) to see if anyone is there, and then go back to do full port scans against hosts that the sweep found to be alive. This is common for things like the Internet where smart people disable ICMP ping. It would take to long to do full port scans against a block with potential dead IPs, so the sweep is used to narrow the scope of the scan.
By this definition, the contrasting "port scan" is a full-spectrum attempt to enumerate all open ports (or at least a reasonably ambitions subset) on host(s).
Unfortunately, you'll always run into interviewers with their own specific definitions, who ding you for not being psychic.
Port sweep and port scan can be interchangeable. Or they could be different. It all depends on context. These are colloquial terms, and don't have one single valid definition.
I would agree with @gowenfawr that a 'sweep' is commonly understood as being wide-but-shallow, and a scan as being deeper(could still be very wide), but then again, masscan was built for scanning a ton of machines very shallowly, and it's not "mass-sweep", so yeah; they're honestly interchangeable.
Part of the confusion lies in the definition of "scan". In more recent times, this word has become confused with "skim". To scan is to examine in minute detail - like a scanning electron microscope, not give a quick once-over.