Using Wireshark to Analyze nmap
Updated: Apr 23, 2020
When I teach or present, I typically get a question asking how I became proficient in protocol analysis and troubleshooting.
I explain that I think it boils down to two main categories; experience and practice. It’s interesting how closely related the two are. For example with experience, I can determine what areas I need to get more practice on. And with more practice, I get more comfortable troubleshooting and feel I can design or install equipment more efficiently.
Practice doesn’t need to be a formal 1 week class or even a 1 day exercise. When I think of practicing, all I need is my tool of choice and an opportunity to use it. Wireshark is a great example of a tool than can take years to get comfortable with and use effectively.
In this example I was playing with a LIVE CD of KALI linux distribution (https://livecdlist.com/kali-linux/) and more specifically the nmap command. I wondered what nmap did ‘on the wire’. So I simply started a capture with a capture filter for the target ip address (host 10.44.1.54) and reviewed the trace file.
I thought this would be a great opportunity to share how I would go through this trace file with tips, tricks and some protocol education along the way.