Collecting port scans -- "Ignore empty non-FIN packet"

tipene · October 25, 2016, 2:37pm

How can I collect the opening packet in a port scan (ie, the SYN before the handshake is completed) using Packetbeat?

I'm using pcap with bpf_filter to select all TCP/IP traffic from a variety of ports. Unfortunately this does not capture port scans. The explanation (when I ran packetbeat -d "*" ) is that the non-FIN (ie, SYN packet) is discarded:

decoder.go:179: DBG Ignore empty non-FIN packet

When I dump to a file using the -dump argument I do see the packets listed there, however, they are not submitted to ElasticSearch because they are discarded.

This is the configuration that I'm using:

interfaces:
device: any
type: pcap
snaplen: 1514
buffer_size_mb: 10
bpf_filter: "port 23 or port 2323 or port 6789"

tipene · October 25, 2016, 2:40pm

Example command line:

sudo packetbeat -c packetbeat_raw.yml -d "*" -dump /tmp/tcp-out

Output from tcpdump:

tcpdump -r /tmp/tcp-out -n
...
10:25:17.978102 IP 49.143.22.136.49387 > x.x.x.x.telnet: Flags [S], seq 758585095, win 60867, length 0
10:25:17.995765 IP x.x.x.x.telnet > 49.143.22.136.49387: Flags [R.], seq 0, ack 758585096, win 0, length 0

system · November 15, 2016, 2:37pm

This topic was automatically closed after 21 days. New replies are no longer allowed.