LinuxOtherPenetration Testing

How to Packet FingerPrinting with Wireshark & Detecting Nmap Scans

Packet FingerPrinting with Wireshark and Detecting Nmap Scans, Article Originally not written by me but I appreciate the writer #Goodies 
This is going to be a fairly long tutorial on Wireshark. This is if you have had some sort of experience with wireshark and nmap, and you should have an above-average understanding of some basic protocols.We will be covering some major scans including:

TCP Scans (Transmission Control Protocol)

~ TCP SYN scan === nmap -sS
Explanation: Sends a SYN packet to an IP’s ports

~ TCP Christmas Scan === nmap -sX
Explanation: Sends a TCP packet with the flags PSH, URG, and FIN set

~ TCP Null Scan === nmap -sN
Explanation: Sends NO TCP flags (easy to detect)

~ TCP FIN Scan === nmap -sF
Explanation: Sends only a TCP FIN header

Run an NMap Scan and Look at Packets

1. Nmap SYN Scan (nmap -sS -v -n

Alrightm so here is what the scan looks like in wireshark:

Let’s look at the coloring rule and see why each is which. This is very easy.

Make sure the “Packet Details” panel is available. Click View -> Packet Details

The red is simple. It’s just a RST (reset) or RST ACK packet

Alright, now click on the packet you’d like to see and expand the “Frame” tag. Then you can look at the colorize rule and see exactly why it’s colored the way it is.

We can see that all of this grey is a TCP SYN packet. Hopefully you know that SYN requests are very common throught a network. When initiating a TCP connection (every time you visit a website), a SYN request is sent. So what makes this SYN request different than a normal SYN request?

NMAP SYN scans have a TCP window size of:
– 1024
– 2048
– 3072
– 4096

while normal SYN window sizes are usually much larger and vary constantly. So this is our key! We can also note that the FIN header is always on.

So, let’s write a rule. Here are some things you should note:

&& = and. Ex: tcp && udp = that will show something that has both TCP and UDP protocols
|| = or. Ex: tcp || udp = this will show anything that is either TCP OR UDP
! = not. Ex: !tcp = this will show everything that is NOT TCP protocol

That’s pretty much it!

So we know that it is TCP so let’s just make sure it’s TCP:


Alright. So we also know that the TCP FIN header is also on. So let’s write that as well:

tcp && tcp.flags.fin ==1

Alright, this may be just a little confusing if you’re not a coder. Basically, we want to see if the window size is any of the aforementioned window sizes. If any of them match (they can’t all match) then this will definitively prove a SYN scan without much chance for false positive. We are going to set this aside with () and will use || inside them. Let’s see:

tcp && tcp.flags.fin ==1 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)

Here I show a real SYN request (grey) and a NMap SYN request (orange).

There we go! We have finished our first scan!!! Now we can detect a very basic TCP SYN Scan!!! Hoorah!

2. Christmas Scan (nmap -sX -v -n

Alright, let’s see the packet as we scan it. Open any packet you find and look at the packet details 🙂

What do we notice?

  • Flag size = 0x29 in hex in EVERY PACKET
  • It runs on TCP

Alright, lt’s go ahead and write a simple rule based on what we’ve noticed:

It’s TCP only, right? Yes.


Now lets make sure the flag size is 0x29

tcp && tcp.flags==0x29

Now, lastly, we need to specify the headers that are set:

txp && tcp.flags==0x29 && tcp.flags.fin==1 && tcp.flags.push==1 && tcp.flags.urg==1

And that’s our rule! That will detect a Xmas scan!

3. TCP Null Scan (nmap -sN -v -n

This is a very obvious one to detect…

What do you notice?

  • TCP Flags is 0. There are NONE SET
  • Winddow size is the same as all the others (1024, 2048, 3072, 4096)

Again, let’s write the rule.

tcp && tcp.flags==0x00 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)

Now you can follow the last 2 tutorials to add your own color-coded scheme 🙂

This one I want you to do yourself!

First write what you notice. Once you’re done, open the spoiler and see if you get the same things I have:

I noticed:

  • Flags = 0x001
  • Only the FIN bit is set
  • Runs on TCP
  • Windows size (1024, 2048, 3072, 4096)

Okay, once you’ve done that, try and write a simple rule!

Here is my final result

tcp.flags==0x01 && tcp.flags.fin==1 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)

Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Related Articles

Back to top button