This is a very basic look at how Nmap scans appear in a Wireshark capture file.
Nmap SYN Scan
Usage: nmap -sS 192.168.56.101
The image below shows this process with the SYN bit set in the packet. The SYN scan is visually easy to spot because of the repeated SYN packets sent to the same host as represented by the grey lines in the image. The target host responds with numerous RST,ACK packets all to the same host.
 |
| Image of Nmap SYN scan |
Nmap TCP Connect Scan
Usage: nmap -sT 192.168.56.101
The TCP Connect Scan completes the full TCP handshake if the particular service is running as shown in the image below.
Usage: nmap -sT 192.168.56.101
The TCP Connect Scan completes the full TCP handshake if the particular service is running as shown in the image below.
 |
| Image of Nmap Connect Scan |
If the service is not running then a RST/ACK is received. Visually the pcap will show repeated SYN messages sent to a target host and its clear ports and services are being numerated.
Nmap Null Scan
Usage:nmap -sN 192.168.56.101
In this scan packets with no flags set are sent to the target. As with the other scans mentioned on this page it is quite easy to spot this type of scan. The tell tale signs of repeated messages very quickly sent to the same host are illustrated in the image below:Nmap Null Scan
Usage:nmap -sN 192.168.56.101
 |
| Image of Nmap Null Scan |
Nmap Scan using Timing Options
Usage: nmap -sA -T1 [options 0,1,2,3,4,5] 192.168.56.101
The image below shows an ACK scan using a timing interval option. The ACK scan is less visible because it is dispersed amongst normal traffic. The relevant packets are numbered 58 and 59.
 | |||
| Nmap ACK Scan with Timing Options Set |
The Wireshark packet capture program can be found at: https://www.wireshark.org/
