6 signs of NMAP scanning / hacking on YOUR network

1,482

82 0

Published 2024-06-27

A deep dive into finding NMAP scans in a packet capture with Wireshark. Plenty of stuff for beginners, and everyone else too.

If you have any questions or ideas for future videos, please leave a comment and let me know.

Filters used:
icmp timestamp request:
icmp.type eq 13

tcp source port:
tcp.srcport==58708

syn and ack flags present:
tcp.flags.syn == True && tcp.flags.ack == true

no arp requests:
!arp

tcp port:
tcp.port==47199

tcp destination port:
tcp.dstport==80
tcp.dstport==21
tcp.dstport==3389
tcp.dstport==25

tcp port:
tcp.port==25

pings without responses:
icmp.resp_not_found

no icmp:
not icmp

ack packets without syn ack:
(tcp.flags.ack == True) && (tcp.completeness.syn-ack == False)

ip address:
ip.addr==192.168.2.3

syn packets only
tcp.flags.syn == True

syn ack packets with no retransmissions:
tcp.flags.ack == True && tcp.flags.syn == True and not tcp.analysis.retransmission

Timestamps:
00:00 Start
0:23 Intro and setup
0:58 1st Scan
2:30 Time
3:15 Syn Ack retransmissions
3:27 2nd Scan
6:51 3rd Scan
8:56 Common TCP ports
11:26 Conclusion

All Comments (3)

@RatStikerz 2 days ago

I'm a beginner in networking and these videos are so helpful, they're very digestible and let's me know what to look for when I do simulations in school
@Celebatar 5 days ago

Good stuff Van!