"We've elected to have our port scan start at 80 (The traditional http server port) and grab every other (higher) listening port on the localhost and query all of them, as if they were http servers, by sending a simple HTTP/1.0 GET request. As a blanket request to any number of known, and unknown, ports, it's not always the best way to interrogate, but it does get lots of useful information from any sort of web server and a few other sorts of servers as well. The only thing you have to settle down and be comfortable with is the fact that, a lot of the time, you can find out just as much about what's running on a particular port by reading the error message you receive from a bogus query as you can from reading the result of a successful one."
