{{ SECURITY Network packet Forensic }}
Chapter 9-1 : Port scan and Packet analysis
For TCP scan, 3-way handshaking will be used to check the opened ports.
Fro UDP scan, if some ports are opened then there will be no response. So in this case, you can checked 'ICMP unreachable' message for the closed ports.
From [Conversation] menu, you can estimate the port scan tries with following patterns. If you use [Follow Stream] button, there will be no information.
To check more detail for each conversion, apply filter for that conversations.
The first conversation has [RST] response from [192.168.0.15] with port [1] for the [SYN] request of [192.168.0.112]. That means the requested port[1] is closed.
But, the port 25 has some information with [220 Welcome trinitysoft] string.
Unlike the 1st conversation for port [1], this has TCP 3 way Handshaking. And right after that, there is session close procedure. From this procedure, you can notice that the port [25] has been opened.
Please also note that the data has been sent with [PSH,ACK] flag. And then there is [ACK] response from the peer.
To check the opened ports only, try TCP flag filtering. Set value [1] for [==] relation for [tcp.flags.syn] field name.
Then you can add more condition in Filter input box.
For failed port open, you can modify the filter as [tcp.flags.reset == 1 && tcp.flags.ack == 1].
'Security&Encryption > Network Packet Forensic' 카테고리의 다른 글
| Shell code packet analysis - 1 (0) | 2016.03.07 |
|---|---|
| UDP Port Scan (0) | 2016.03.07 |
| Analysis for SMTP (0) | 2016.03.06 |
| Analysis HTTP Contents (0) | 2016.03.03 |
| File Magic Number (0) | 2016.03.02 |