Wireshark: Traffic Analysis — Quick Summery
Jun 4, 2023
Nmap Scans
Filters to detect nmap scans:
To detect TCP Connection Scan:-
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024
To detect SYN Scan:-
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024
To detect closed UDP ports:-
icmp.type==3 and icmp.code==3
ARP Queries:-
(((http.request or tls.handshake.type == 1) and !(ssdp))) && (tls.handshake.extensions_server_name == “accounts.google.com”)