Ethereal-users: Re: [Ethereal-users] Port Scan Reports

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jens Link <lists@xxxxxxx>
Date: Fri, 24 Feb 2006 21:20:47 +0100
"Deogratias Nondi" <dgratius@xxxxxxxxxxx> writes:

> Hi,
>  
> I am a bit new to etherial and was wondering what kind of port scans can
> etherial detect. 

I don't think that ethereal is the right tool for the job. I'd take a
look at a netflow based tool like nfdump/nfsen or a firewall log if I
was concerned about some every day port scanning. Do you call the police
every time somebody looks at your door? I'd be concerned with port scans
emanating form one of my systems without my knowledge.

> How do I recognize these scans in a captured report? 

By hard work and/or good luck. Sorting by destination would be a
first step. 

> If I wanna learn further about the scan ( i.e where it came from and
> how to protect it) where do I go in Ethereal?

You might find information about the source of the port-scan by
filtering and sorting the the captured data. You can't use ethereal to
protect against a port scan. If you relay have problems with the traffic
caused by port scans you should talk to your ISP. He's the one with
the greater bandwidth and can take the appropriate measures.  

One last advice: Do a popper setup of your system and just ignore 
the normal background noise emanating form some script kiddies.

Jens