Abstract
Port scanning is a fundamental technique commonly used in the reconnaissance phase of cyberattacks to identify open ports and active services on a target system. This study aims to analyze and detect port scanning activity through network traffic monitoring using Nmap and Wireshark. The experiment was conducted in a controlled Local Area Network (LAN) environment consisting of a Windows-based machine as the scanner and a Kali Linux machine as the target. The results demonstrate that scanning activity can be identified through distinct traffic patterns, particularly the transmission of multiple SYN packets and variations in TCP responses. This study highlights the importance of traffic analysis as an early detection mechanism in network security.
What is Port Scanning?
Port scanning is a technique used to identify which ports on a system are open. Open ports often indicate active services such as:
- HTTP (port 80)
- HTTPS (port 443)
- DNS (port 53)
By discovering open ports, an attacker can identify potential entry points into a system.
Experimental Setup
In this project, the simulation was conducted within a Local Area Network (LAN) using two machines:
- 💻 Windows machine → acting as the scanner
- 🐉 Kali Linux machine → acting as the target
Both devices were connected within the same subnet, allowing direct communication.
The tools used in this experiment:
- Nmap → for performing scans
- Wireshark → for capturing and analyzing network traffic
Scanning Process with Nmap
The scan was performed using: nmap -sT -Pn 192.168.1.11
Result: ➡️ The target was active, but all ports were closed.
A broader scan was also conducted: nmap -sT 192.168.1.0/24
➡️ Several devices were found with open ports such as HTTP and HTTPS.
This shows that not all devices within the same network have the same level of exposure or security.
What Happens Behind the Scenes? (Wireshark Analysis)
While the scan was running, Wireshark captured a noticeable spike in network traffic.
This spike is a strong indicator of scanning activity.
Why? Because the scanner sends multiple connection requests to different ports in a short period of time.
Port Behavior: Open vs Closed
From packet analysis, we can distinguish different port states:
❌ Closed Port
- Scanner sends: SYN
- Target replies: RST, ACK
➡️ This means the port is closed and not accepting connections.
✅ Open Port
- SYN → SYN-ACK → ACK (TCP three-way handshake)
➡️ This confirms that the port is open and a service is running.
After that, a RST, ACK is sent because the -sT scan method establishes and then immediately terminates the connection.
⚠️ Identifying Scanning Patterns
One of the clearest indicators of port scanning is:
➡️ A large number of SYN packets sent rapidly to multiple ports
This pattern reflects systematic probing behavior.
Even without directly seeing the attacker, this traffic pattern alone is enough to signal suspicious activity.
Why Does This Matter?
Port scanning is often the first step before more serious attacks, such as:
- Exploiting vulnerabilities
- Brute-force attacks
- Malware injection
By understanding these traffic patterns, network administrators can:
- Detect suspicious activity early
- Take preventive action before an actual attack occurs
Strengths & Limitations
Strengths
- Enables detection without direct access to the target system
- Provides real insight into real-world network behavior
Limitations
- Analysis is still manual (using Wireshark)
- Limited to a local network environment
- No automated detection or alert system
Conclusion
This study demonstrates that port scanning activity can be effectively detected through network traffic analysis using Nmap and Wireshark. The identification of traffic patterns such as repeated SYN requests and specific TCP responses provides valuable insight into the state of network ports and potential security threats.
Understanding these patterns enables network administrators to detect early-stage attacks and implement preventive measures, thereby strengthening overall network security.