Which of the following filters can be used to detect UDP scan attempts using Wireshark?
A. icmp.type==13
B. icmp.type==8 or icmp.type==0
C. icmp.type==15
D. icmp.type==3 and icmp.code==3
Answer (2)
To detect UDP scan attempts in Wireshark, use the filter 'icmp.type==3 and icmp.code==3', which indicates that a UDP packet was sent to a closed port. Other options provided do not specifically relate to UDP scans. This filter allows you to see the responses indicating unreachable ports from the scanning activity.
;
In the context of using Wireshark to detect UDP scan attempts, we need to understand how these scans work. UDP scans are used by attackers to find open UDP ports on a target system. Unlike TCP scans, which utilize the three-way handshake to establish a connection, UDP is connectionless, making it harder to detect. However, if a UDP packet is sent to a closed port, most systems will reply with an ICMP packet, specifically an ICMP Type 3 message with Code 3, which indicates 'Destination Unreachable: Port Unreachable'.
Given the options:
Option A: icmp.type==13 is used for timestamp requests and does not relate to detecting UDP scans.
Option B: icmp.type==8 or icmp.type==0 relates to ICMP echo requests and replies, commonly used in ping operations, not UDP scans.
Option C: icmp.type==15 indicates information request, which is not used in the context of detecting UDP scans.
Option D: icmp.type==3 and icmp.code==3 is tailored to detect ICMP destination unreachable messages specifically due to 'Port Unreachable', which is a common response when probing closed UDP ports during a UDP scan.
Therefore, the correct option to detect UDP scan attempts using Wireshark is Option D: icmp.type==3 and icmp.code==3 . This filter helps identify when a target host responds to a UDP scan by sending back ICMP messages, which is a common reflection that someone might be scanning for open UDP ports.
