Ask Your Question
0

Filter to help identify TCP Connect scan

asked 2022-03-31 18:43:40 +0000

wonskki gravatar image

Would the filter tcp.flags.rst == 1 and tcp.flags.ack == 1 help identify TCP Connect Scan packets?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-04-13 20:52:32 +0000

Ginny S gravatar image

If it is a connect scan that uses RST to end the connection, like nmap's connect scan will, then that should catch the end of those streams. This is pretty typical of a scanner that wants to tear down connections and move on but technically connect scans could use FIN to end connections. (This isn't common though. I would look for RST.)

You may want to add for something like tcp.time_relative < 2. This will scoop up streams that see a RST very shortly after the connection is established and weed out false positives from actual data transferring streams that happen to end with a RST.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-03-31 18:43:40 +0000

Seen: 1,031 times

Last updated: Apr 13 '22

Related questions

TCP/IP socket behavior

Modbus TCP [Retransmission], [RST]