WIRESHARK

TCP FLAGS

PORT SCAN TYPES

TCP CONNECT SCANS

root@dco:~$ Wireshark

#step 1: get an overview 
WireShark
 Filter: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
 
#step 2: drill-down and isolate
WireShark
 Filter: tcp.port==22
 
#step 3: reveals the IP address conducting the port scans
Initial Anomaly Pattern
Open TCP Port
Closed TCP Port

SYN SCANS

root@dco:~$ Wireshark

#step 1: get an overview 
WireShark
 Filter: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024
 
#step 2: drill-down and isolate
WireShark
 Filter: tcp.port==22
 
#step 3: reveals the IP address conducting the port scans
Initial Anomaly Pattern
Open TCP Port (SYN)
Closed TCP Port (SYN)

UDP SCANS

root@dco:~$ Wireshark

#step 1: get an overview 
WireShark
 Filter: icmp.type==3 and icmp.code==3
 
#step 2: drill-down and isolate
WireShark
 Filter: udp
 
 * analysts might want to limit the filter to what is aligned in the organization's PPSM / asset inventory
 
#step 3: reveals the IP address conducting the port scans
Initial Anomaly Pattern
Closed (port no 69) and open (port no 68) UDP ports:
PreviousPORT SCANSNextKIBANA

Last updated