I am trying to come up with a display filter to help detect TCP Stealth Scans (or "Half-Open" scans).
Since those are usually characterized by three packets: SYN - SYN/ACK - RST
I'm trying the filter:
tcp.stream && (tcp.flags.syn == 1 || tcp.flags.reset == 1)
It seems to be working somewhat - but I'm not sure if that is the correct use of the tcp.stream primitive. Is there a better way to identify patterns across multiple packets?
asked 03 Apr '11, 08:57
The field tcp.stream is just an index to an individual TCP session (stream) and will always be true for tcp packets.
You might be able to get what you want by looking more closely at the RST packets and use the (relative) sequence and acknowledgment numbers to get what you want. Also the tcp.flags.ack field might be important in distinguishing the different causes for a TCP RST.