Detecting Port Scans:

Look for a single source IP sending SYN packets to many different ports on a single destination. - Filter: `tcp.flags.syn == 1 && tcp.flags.ack == 0` - A rapid succession of SYN packets to sequential or random ports is a clear indicator of scanning.