Wireshark · Wireshark-dev: [Wireshark-dev] Wireshark MATE to detect TCP Port Scanning

Wireshark-dev: [Wireshark-dev] Wireshark MATE to detect TCP Port Scanning

From: Sean Laszakovits <slaszako@xxxxxxxxx>

Date: Thu, 23 Feb 2012 17:33:16 -0600

Greetings,

I've begun to start initially playing with the MATE scripting features within Wireshark, and I'm trying to get MATE to show all related packets that are related to the RST flag from port scanning.

I obviously don't know where to start, but:

Is RST flag set to 1?
Yes (continue on)
No (go to next packet)

Is SEQ value == 1?
Yes (continue on)
No (go to next packet)

Is TCP Session/Conversation Packet Total <= 3?
Yes (end)
No (go to next packet)

This way I can see all TCP Convos lasting 3 or less packets (which equates to most port scans)

How would I go about scripting this out within MATE? Any pointers would be greatly appreciated!

Thanks!

Sincerely,

Sean Laszakovits

Prev by Date: Re: [Wireshark-dev] Regression in SVN revision ~41162?
Next by Date: [Wireshark-dev] packet-mip, vendor_id, r41171
Previous by thread: Re: [Wireshark-dev] Regression in SVN revision ~41162?
Next by thread: [Wireshark-dev] packet-mip, vendor_id, r41171
Index(es):
- Date
- Thread