[SecViz] Source / Destination Confusion

Jan P. Monsch jan.monsch at iplosion.com
Mon Mar 30 13:34:58 EDT 2009


Hi Raffy,

Good point. However, in this case you do not have to worry about
source/destination port confusion because the system targeted with nmap does
not respond to the scan. Thus, in the packet capture there is only the
traffic from the scanner.

Kind regards
Jan


-----Original Message-----
From: secviz-visualization-bounces at secviz.org
[mailto:secviz-visualization-bounces at secviz.org] On Behalf Of Raffael Marty
Sent: Montag, 30. März 2009 18:32
To: secviz-visualization at secviz.org
Subject: [SecViz] Source / Destination Confusion

Jan, thanks for posting the portscan example in R on secviz.org:
http://www.secviz.org/content/nmap-scanning-behavior-visualized-r-project

Nice graphs and great method to create quick graphs. In your example,
aren't you running into the source/destination confusion? I think you
are. What I found to be a good solution is to either throw the pcaps
into argus and use racluster to stitch them together based on their
flow, or use tcpflow to do that.

Cheers

Raffael

--
Raffael Marty @zrlram
Chief Security Strategist @ Splunk>
Security Visualization: http://secviz.org raffy.ch/blog

_______________________________________________
SecViz-Visualization mailing list
SecViz-Visualization at secviz.org
http://eight.pairlist.net/mailman/listinfo/secviz-visualization



More information about the SecViz-Visualization mailing list