I played a bit with nmap scans and argus to have a flow-wise graph:

tcpdump -i any -w scan2.pcap -n 'ip'

nmap 192.168.0.11

/usr/sbin/argus -r scan2.pcap -w - | ra -n > scan2.netflow

parsers/net/argus2picviz.pl scan2.netflow > scan2.pgdl

pcv -Tpngcairo scan2.pgdl -Rheatline > scan2-freq.png

Which gives this image: scan2-freq.png

Higher resolution available here.

Doing frequency analysis on those data are quite interesting:

  • We can see that nmap religiously scans the first 1024 ports
  • Among those 1024 ports, some are tested more than others (as we see red lines between source port and dest port) using the same source port
  • Some higher ports are tested several times from different source ports
  • The higher we get on the dest port axis, spreader ports are tested
  • Some localhost tests are tried

Ah and by the way, a lot of Picviz news will arose January 2009, stay tuned!