Creating Packet Traces of Nessus Scans

Nessus 3 UNIX scanners have the ability to save all of their generated packets as a convenient libpcap compatible file. This means you can save your scans and view them under applications such as TCPDUMP or Wireshark.

Having a network trace can greatly assist in diagnosing your environment as well what Nessus is attempting. Tenable's support group often encounters customers who are scanning hosts that are firewalled or are being screened with an intrusion prevention system which is spoofing responses. Having exact packet logs of what is occurring can help diagnose the results.

When new devices are encountered, having a packet dump of what has occurred is very useful for sending information to Tenable's research group. This helps our team write better plugins with the exact bytes and responses being seen in the wild.

Saving a packet dump is also a good way to "prove" that a system was scanned. Text reports can easily be manipulated. Manipulating the 1000s of network connections, three way handshakes and specific protocols can be faked but requires much more effort.