A connection is a link between a device and a destination through the use of network resources. There are two types of connections depending on the transport protocol used for communication:
The connection has a status.
The connection is stateless.
For TCP connections, the link between device and destination does not need to be fully established for Nexthink to record the connection. For UDP connections, it is not possible to know if the connection was established, due to the own nature of the protocol. Thus, for any protocol, every connection attempt that Nexthink detects is recorded on the Nexthink database no matter whether the connection is successful or not.
Some repetitive short-lived connections are automatically grouped into one single aggregated connection when some sort of scanning is detected:
A repeated attempt to connect to the same port on several destinations.
A repeated attempt to connect to different ports on the same destination.
Network and port scans can be launched by legitimate processes, but they may also indicate the existence of malicious activity in your network. Scanning communication ports in one or several machines is a widely used method to detect vulnerabilities in computer networks.
Only connections using the same transport protocol may be grouped into a single scan connection. Thus, there are four types of scan connections:
Protocol \ Type
TCP network scan
TCP port scan
UDP network scan
UDP port scan
See Network and port scan conditions to find out when Nexthink regards a set TCP and UDP connections as a scanning operation.