• Global search: tcp udp
• Only SYN flag: tcp.flags == 2 tcp.flags.syn == 1
• Only ACK flag: tcp.flags == 16 tcp.flags.ack == 1
• Only SYN, ACK flags: tcp.flags == 18 (tcp.flags.syn == 1) and(tcp.flags.ack == 1)
• Only RST flag: tcp.flags == 4 tcp.flags.reset == 1
• Only RST, ACK flags: tcp.flags == 20 (tcp.flags.reset == 1) and (tcp.flags.ack == 1)
• Only FIN flag: tcp.flags == 1 tcp.flags.fin == 1

TCP Connect Scans

• Relies on the three-way handshake (needs to finish the handshake process).
• Usually conducted with nmap -sT command.
• Used by non-privileged users (only option for a non-root user).
• Usually has a windows size larger than 1024 bytes as the request expects some data due to the nature of the protocol.

• Open TCP Port: SYN --> / <-- SYN,ACK / ACK -->
• Open TCP Port: SYN --> / <-- SYN,ACK / ACK --> / RST,ACK -->
• Close TCP Port: SYN --> / <-- RST, ACK
• This filter shows the TCP Connect scan patterns in a capture file: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024

SYN Scans

• Doesn't rely on the three-way handshake (no need to finish the handshake process).
• Usually conducted with nmap -sS command.
• Used by privileged users.
• Usually have a size less than or equal to 1024 bytes as the request is not finished and it doesn't expect to receive data.

• Open TCP Port: SYN --> / <-- SYN,ACK / RST -->
• Close TCP Port: SYN --> / <-- RST, ACK
• This filter shows the TCP SYN scan patterns in a capture file: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024

UDP Scans

• Doesn't require a handshake process.
• No prompt for open ports
• ICMP error message for close ports
• Usually conducted with nmap -sU command.

• Open UDP Port: UDP packet -->
• Close UDP Port: UDP packet --> / <-- ICMP Type 3, Code 3 message. (Destination unreachable, port unreachable)
• This filter shows the UDP scan patterns in a capture file: icmp.type==3 and icmp.code==3