Thursday, 24 November 2011

Evidence of Nmap in Wireshark files

This is a very basic look at how Nmap scans appear in a Wireshark capture file.

  Nmap SYN Scan 

  Usage: nmap -sS

   Nmap sends a packet with the SYN flag set and the target host will reply with a SYN,ACK packet if the port is open and a RST,ACK packet if the port is closed. Nmap does not complete the full TCP connection if the port is open.
 The image below shows this process with the SYN bit set in the packet. The SYN scan is visually easy to spot because of the repeated SYN packets sent to the same host as represented by the grey lines in the image. The target host responds with numerous RST,ACK packets all to the same host.

Image of Nmap SYN scan

Nmap  TCP Connect Scan

Usage: nmap -sT

   The TCP Connect Scan completes the full TCP handshake if the particular service is running as shown in the image below.

Image of Nmap Connect Scan

If the service is not running then a RST/ACK is received. Visually the pcap will show repeated SYN messages sent to a target host and its clear ports and services are being numerated.

Nmap Null Scan

Usage:nmap -sN
   In this scan packets with no flags set are sent to the target.  As with the other scans mentioned on this page it is quite easy to spot this type of scan.  The tell tale signs of repeated messages very quickly sent to the same host are illustrated in the image below:

Image of Nmap Null Scan
If nmap receives a RST,ACK packet from a null scan it will consider the port to be closed.

Nmap Scan using Timing Options

Usage: nmap  -sA -T1 [options 0,1,2,3,4,5]

   The image below shows an ACK scan using a timing interval option.  The ACK scan is less visible because it is dispersed amongst normal traffic.  The relevant packets are numbered 58 and 59.

Image of Nmap ACK scan with timing options set
Nmap ACK Scan with Timing Options Set

 The information regarding Nmap scan types and commands is based on information contained in the Nmap tutorial found at:
The Wireshark packet capture program can be found at: