top of page

Using Wireshark to Analyze nmap

Updated: Apr 23, 2020

When I teach or present, I typically get a question asking how I became proficient in protocol analysis and troubleshooting.

I explain that I think it boils down to two main categories; experience and practice. It’s interesting how closely related the two are. For example with experience, I can determine what areas I need to get more practice on. And with more practice, I get more comfortable troubleshooting and feel I can design or install equipment more efficiently.

Practice doesn’t need to be a formal 1 week class or even a 1 day exercise. When I think of practicing, all I need is my tool of choice and an opportunity to use it. Wireshark is a great example of a tool than can take years to get comfortable with and use effectively.

In this example I was playing with a LIVE CD of KALI linux distribution ( and more specifically the nmap command. I wondered what nmap did ‘on the wire’. So I simply started a capture with a capture filter for the target ip address (host and reviewed the trace file.

I thought this would be a great opportunity to share how I would go through this trace file with tips, tricks and some protocol education along the way.



Recent Posts

See All
bottom of page