Wireshark: Traffic Analysis — Quick Summery

Nmap Scans

Filters to detect nmap scans:

To detect TCP Connection Scan:-

tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024

To detect SYN Scan:-

tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024

To detect closed UDP ports:-

icmp.type==3 and icmp.code==3

ARP Queries:-

(((http.request or tls.handshake.type == 1) and !(ssdp))) && (tls.handshake.extensions_server_name == “accounts.google.com”)