 | 1 | initial version |
If it is a connect scan that uses RST to end the connection, like nmap's connect scan will, then that should catch the end of those streams. This is pretty typical of a scanner that wants to tear down connections and move on but technically connect scans could use FIN to end connections. (This isn't common though. I would look for RST.)
You may want to add for something like tcp.time_relative < 2. This will scoop up streams that see a RST very shortly after the connection is established and weed out false positives from actual data transferring streams that happen to end with a RST.
