root@dco:~$ Wireshark
#step 1: get an overview
WireShark
Filter: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
#step 2: drill-down and isolate
WireShark
Filter: tcp.port==22
#step 3: reveals the IP address conducting the port scans
SYN SCANS
root@dco:~$ Wireshark
#step 1: get an overview
WireShark
Filter: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024
#step 2: drill-down and isolate
WireShark
Filter: tcp.port==22
#step 3: reveals the IP address conducting the port scans
UDP SCANS
root@dco:~$ Wireshark
#step 1: get an overview
WireShark
Filter: icmp.type==3 and icmp.code==3
#step 2: drill-down and isolate
WireShark
Filter: udp
* analysts might want to limit the filter to what is aligned in the organization's PPSM / asset inventory
#step 3: reveals the IP address conducting the port scans
Initial Anomaly Pattern
Open TCP Port
Closed TCP Port
Initial Anomaly Pattern
Open TCP Port (SYN)
Closed TCP Port (SYN)
Initial Anomaly Pattern
Closed (port no 69) and open (port no 68) UDP ports:
