HI can anyone help with an issue I am having using wireshark to detect nmap scans I have managed to filter the amount of SYN/ACK packets for the 3 way with ip.proto == 6 and tcp.flags == 18. I have also filtered for a SYN scan only with ip.proto == 6 and tcp.flags == 2 and have identified areas with large amounts of these in a small space of time which prob proves a SYN scan happening. I have also filtered for ACK as well. I wanted to try to find what successful ports have been connected too and what ones have not. Im using a pre set up pcap given to me at university. any ideas? asked 06 Apr '12, 08:50  aikiscotsman edited 06 Apr '12, 10:03  Guy Harris ♦♦ |
One Answer:
Nmap has many options, so an nmap scan can take many forms. You would need to create a filter for each type of scan behavior you want to detect. As a starting point, you might want to go to the download page of Laura Chappell's "Wireshark Network Analysis" book web site and download her Wireshark profiles and sample filters. She has one profile called "Nmap detection" that contains a color filter designed to highlight some possible nmap scans. answered 06 Apr '12, 11:00  Jim Aragon |
