The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that "open" listening ports will send back different error messages than "closed" ports.
The most common of these scans is the FIN scan, which attempts to close a connection that isn't open. If no service is listening at the target port, the operating system will generate an error message. If a service is listening, the operating system will silently drop the incoming packet. Therefore, no response indicates a listening service at the port. However, since packets can be dropped accidentally on the wire or by firewalls, this isn't a very effective scan.
Other techniques might consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans.
