# Network and port scan conditions (classic)

The Nexthink solution identifies a set of connections as a network or port scan when the following conditions are met:

* A single process starts all the connections.
* There are 90 seconds or less between each connection.
* The set of connections contains at least 50 connections.
* The set of connections only contains failed connections.

The reason to include the last condition is that a scan operation does not usually complete the vast majority of its connection attempts. Since a scan tests every port or destination, the system rejects most of the connections. The way to express this last condition depends on the transport protocol of the connection. In the case of TCP, the status of the connection directly shows whether the connection failed or not. In the case of UDP, however, there is no clear status of the connection. Therefore, Nexthink suspects a UDP scan when many small UDP packets are sent in a short period of time:

**TCP**\
All connections in the set are unsuccessful.

**UDP**\
The size of each packet sent is less than 10 KB.\
The total duration of the whole scan is less than 15 minutes.

To summarize, this is the list of all the types of network and port scans that you can find:

**TCP network scan**\
A process launches a burst of unsuccessful TCP connections to the same port of at least 50 destinations.

**UDP network scan**\
A process sends a burst of small UDP datagrams to the same port of at least 50 destinations within 15 minutes.

**TCP port scan**\
A process launches a burst of unsuccessful TCP connections to at least 50 ports on the same destination.

**UDP port scan**\
A process sends a burst of small UDP datagrams to at least 50 ports on the same destination within 15 minutes.<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nexthink.com/platform/references/references-classic/database-information-and-organization-classic/network-and-port-scan-conditions-classic.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.