Skip to content

Analyzing and Monitoring Traffic

Traffic for ICMP-Based OS Fingerprinting Attempts

Attackers send unique ICMP probes to the target and look for the response

Use the following filter to locate unusual ICMP requests:

(icmp.type==8 && (!(icmp.code==8))

(icmp.type==13) || (icmp.type==15) || (icmp.type==17)

Discover unique ICMP probes, unual ICMP code, ICMP timestamp requests (13), ICMP information requests (15), and ICMP address mask requests (917) from the traffic to make an educated guess to detect OS fingerprinting.

Attackers send TCP probes using specific field values in the header to look for the response and reveal deteails about the OS.

The fields that indicate OS fingerprinting attempts are the initial squence number, timestamp, IP ID sequence, and TCP options.

Use the following filter to find OS fingerprinting attempts:

(tcp.flags==0x02) && (tcp.windows_size <1025)





Attackers generally use Nmap for target OS fingerprinting

Folks should be aware of the Nmap OS fingerprinting process to detect OS fingerprinting attempts

ICMP echo request (type 8) with no payload

ICMP echo request (type 8) with a 120 or 150 byte payload of 0x00

ICMP timestamp request with the origin timestamp value set to 0

TCP SYN with a 40 byte options area

TCP SYN with the windows scale shift count set to 10

TCP SYN with the maximum segment size set to 256

TCP SYN with the timestamp value set to 0xFFFFFFFF

TCP packet with options and SYN, FIN, PSH, and URG bits set

TCP packet with options and no flags set

A non-zero TCP acknowledgement number field without the ACK bit set

TCP packets with unusual window size filed values

Ping sweep attempts

Attackers use a ping sweep to determine the live hosts within a specified IP arange

It is accomplished using ICMP, TCP, or UDP

Attackers send a series of ICMP, TCP, or UDP echo requests to the specified IP range.

The following filters can be used to detect these actions:

ICMP Sweeps use:



TCP ping sweep:


UDP ping sweep:


TCP half open stealth scan attempts




tcp.flags.syn==1 && tcp.flags.ack==1

tcp.flags.reset==1 && ip.src==

TCP full connect scan attempts

ICMP type 3

tcp.flags.syn==1 && tcp.flags.ack && ip.src==

tcp.flag.ack && ip.src==

Null Scan


SYN/FIN DDoS attempts


UDP scan

icmp.type==3 && icmp.code==3

type 3 = destination unreachable

code 3 = port unreachable

Password Cracking Attempts

Example of FTP password cracking attempts




ARP Spoofing


SQL-Injection attempts

Windows Logs

HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<Event Log>


Linux Logs






Timestamp | Device ID | Message ID | Message Text

Dec 27 2021 16:28:03 | asa 1: | % ASA -5 – 110008 |

Message ID bengines with %ASA, %PIX, %FWSM, followed by severity

Attack Surface Mapper

OhPhish Phishing Simulation Framework –

SpeedPhish Framework (SPF) –

Lucy –

Phishing Frenzy –

Gophish –

Social-Engineering Toolkit (SET) –

infection monkey


AttackIQ –

CyCognito –

XM Cyber –

Picus Security –

SafeBreach –

Verodin –

WhatHaX –

malstrom –