THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 1
Ginny S's avatar
1
Ginny S
answered 2022-04-13 20:52:32 +0000

If it is a connect scan that uses RST to end the connection, like nmap's connect scan will, then that should catch the end of those streams. This is pretty typical of a scanner that wants to tear down connections and move on but technically connect scans could use FIN to end connections. (This isn't common though. I would look for RST.)

You may want to add for something like tcp.time_relative < 2. This will scoop up streams that see a RST very shortly after the connection is established and weed out false positives from actual data transferring streams that happen to end with a RST.