Using Wireshark

Analyzing Nmap Traffic with Wireshark

Wireshark is a powerful open-source packet analyzer widely used by both network defenders and penetration testers. It provides deep visibility into network protocols, helping professionals identify issues, analyze malicious activity, or study how tools behave at the packet level.

What Is Wireshark?

Wireshark allows you to:

  • Capture and inspect real-time network traffic

  • Debug connectivity and protocol issues

  • Analyze malicious or suspicious traffic

  • Understand how tools (like Nmap) interact with systems over the network

Note: Wireshark comes pre-installed in Kali Linux, making it readily available for cybersecurity tasks.

Why Use Wireshark with Nmap?

When performing network reconnaissance with Nmap, it's important to know:

  • What traffic your tools are generating

  • How different scanning techniques behave

  • Which methods are stealthier or noisier on the network

Wireshark helps visualize this by showing packet-level details of each scan.

Step-by-Step: Capture and Analyze Nmap Traffic

1. Choose the Right Interface

Before capturing, ensure you're listening on the correct network interface (e.g., eth0, wlan0).

2. Full TCP Connect Scan with Nmap

Run this command to initiate a full three-way handshake on port 23 (Telnet):

nmap -sT 192.168.1.231 -p23

In Wireshark, apply this display filter:

tcp.port == 23

Observation:

  • The scan initiates a standard TCP SYN → SYN/ACK → ACK handshake.

  • This indicates a full connection is established.

  • Such scans are easily logged on the target system.

3. Default SYN Scan (Stealth Scan)

Now, run Nmap’s default SYN scan:

nmap 192.168.1.231 -p23

Use the same Wireshark filter:

tcp.port == 23

Observation:

  • You’ll see a SYN from the attacker.

  • The target replies with SYN/ACK.

  • The attacker responds with a RST (Reset), not completing the handshake.

This is known as a half-open scan or stealth SYN scan, which avoids completing the TCP connection.

TCP Connect Scan vs SYN Scan

Feature

-sT (TCP Connect)

Default (SYN) Scan

Handshake Completed

Yes (3-way handshake)

No (RST sent)

Logged by Target

More likely

Less likely

Efficiency

Slower

Faster

Stealth

Low

High

According to Nmap's documentation, SYN scans are typically preferred for stealth and efficiency.

What Happens with Service & Script Scans?

Run a more aggressive scan:

nmap -sV -sC 192.168.1.231

Observation:

  • Nmap performs service detection and default script execution.

  • Wireshark reveals that Nmap includes itself in the User-Agent string.

  • This can be a red flag for detection systems:

    User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine; ...)

Hands-on Quiz Questions

  • Use Nmap and Wireshark and figure out how to change your user-agent string from "Nmap Scripting Engine". Note: run against a web server that you are authorized to test.

PreviousScanning with NetcatNextWireshark and Encrypted Traffic

Last updated