Wireshark is a powerful network protocol analyzer that captures and inspects network traffic in real-time. While it doesn't automatically flag port scanning attempts, it provides the tools necessary to identify patterns indicative of such activity. Here's how you can detect port scanning using Wireshark:
Recognizing Port Scanning Patterns
Port scanning involves sending packets to various ports on a target system to discover open or active services. Common indicators of port scanning in Wireshark include:
-
Multiple Connection Attempts: A single source IP attempting connections to numerous destination ports within a short timeframe.
-
Unusual Packet Flags: Use of specific TCP flags that deviate from standard connection behavior.
-
ICMP Responses: A surge in ICMP "Destination Unreachable" messages, often resulting from UDP scans.
Utilizing Wireshark Filters
Wireshark's filtering capabilities allow you to isolate traffic that matches port scanning characteristics:
This filter displays SYN packets without corresponding ACKs, typical of SYN scans.
A larger window size indicates a standard connection attempt.
Such packets can be used to probe firewalls and identify open ports.
FIN scans attempt to close connections to detect open ports.
-
TCP Xmas Scans: Packets with FIN, PSH, and URG flags set. Filter:
tcp.flags.fin == 1 && tcp.flags.push == 1 && tcp.flags.urg == 1
These scans send packets that "light up" like a Christmas tree, hence the name.
This filter captures ICMP messages indicating closed UDP ports.
Analyzing Conversations
Wireshark's Statistics > Conversations feature helps identify unusual communication patterns:
-
Navigate to Statistics > Conversations.
-
Review the list for a single source IP communicating with multiple destination ports.
-
Such patterns can indicate a port scan originating from that source.
