NFC was written for the Network Forensics Contest #4 (well actually for #1, but wasn't released then and was tweaked specifically for contest #4).  

Use at own risk, blah, blah, blah.  If you want/need more info than this on what it does in the background, let me know.  xnih@cableone.net

To Use:
Double click in the PCAP File edit window, pick a pcap file.
Click Start

What all it does:  (chunk of Delphi code)

      if tcpflags = 'SA' then
        OpenPorts.Add(sl.Strings[x])
      else if tcpflags = 'RA' then
        ClosedPorts.Add(sl.Strings[x])
      else if tcpflags = 'R' then
        UnfilteredPorts.Add(sl.Strings[x])
      else if (tcpflags = 'A') and (tcpoptions = '') then
        ACKScan.Add(sl.Strings[x])
      else if tcpflags = '' then
        NullScan.Add(sl.Strings[x])
      else if tcpflags = 'FPU' then
        XMASScan.Add(sl.Strings[x])
      else if tcpflags = 'S' then
        begin
          if tcpoptions = 'M1460:.' then
            SynScan.Add(sl.Strings[x])
          else //tcpoptions are going to be OS specific, so doing catch all for now
            ConnectScan.Add(sl.Strings[x]);
        end;


First we look for any TCP packets with the SA flags, any we find we flag as open ports.
We then look for any TCP packets with the RA flags, any we find we flag as closed ports.
R flag = Unfiltered
A flag AND tcpoptions NULL are from an ACK scan
NULL flag = Null Scan
FPU flags = XMAS Scan

Now differentiating between a Syn Scan and a Connect scan.  NMAP recommends using a Syn Scan, this way it has control over it, where if you do a Connect Scan it is left up to the OS.  A Syn Scan sends packets with tcpoptions of 'M1460:.' based on how I passively fingerprint in Satori, where a connect scan is going to be OS specific and may have quite a few other pieces in the tcpoptions.  

Parse through all the info and you'll get something like this:
---------------------------------------
Types of Scans and General Info
---------------------------------------
SYN Scan info: 
	Start Time: 2010-02-02 17:43:10 Packet #: 6728
	End Time: 2010-02-02 17:44:03 Packet #: 13525
	System(s) appearing to do SYN Scans: 
		10.42.42.253=3745
	System(s) appearing to be SYN Scanned: 
		10.42.42.25=1745
		10.42.42.56=1000
		10.42.42.50=1000

Connect Scan info: 
	Start Time: 2010-02-02 17:34:06 Packet #: 1
	End Time: 2010-02-02 17:44:12 Packet #: 13620
	System(s) appearing to do Connect Scans: 
		10.42.42.253=3670
		10.42.42.25=12
	System(s) appearing to be Connect Scanned: 
		10.42.42.50=1024
		10.42.42.56=1003
		10.42.42.25=1655

XMAS Scan info: 
	Start Time: 2010-02-02 17:44:10 Packet #: 13599
	End Time: 2010-02-02 17:44:13 Packet #: 13624
	System(s) appearing to do XMAS Scans: 
		10.42.42.253=4
	System(s) appearing to be XMAS Scanned: 
		10.42.42.56=2
		10.42.42.25=1
		10.42.42.50=1

NULL Scan info: 
	Start Time: 2010-02-02 17:44:10 Packet #: 13597
	End Time: 2010-02-02 17:44:10 Packet #: 13597
	System(s) appearing to do NULL Scans: 
		10.42.42.253=1
	System(s) appearing to be NULL Scanned: 
		10.42.42.50=1

---------------------------------------
Summary
---------------------------------------
List of Possible NMAP Scanning machines (and number of ports scanned):
	10.42.42.25=12
	10.42.42.253=7420

List of Possible Machines Scanned by NMAP System (and number of ports scanned):
	10.42.42.25=3401
	10.42.42.50=2025
	10.42.42.56=2005

Systems with Open Ports: 
	10.42.42.50 - 135/tcp
	10.42.42.50 - 139/tcp

Systems with Unfiltered Ports: 
	10.42.42.25 - 1/tcp
	10.42.42.253 - 36020/tcp
	10.42.42.253 - 36119/tcp
	10.42.42.253 - 36120/tcp
	10.42.42.253 - 36121/tcp
	10.42.42.253 - 36122/tcp
	10.42.42.253 - 36123/tcp
	10.42.42.253 - 36124/tcp
	10.42.42.253 - 36131/tcp
	10.42.42.253 - 36134/tcp
	10.42.42.50 - 1/tcp
	10.42.42.50 - 135/tcp
	10.42.42.56 - 1/tcp

Systems with Closed Ports: 
	10.42.42.25=2003 Port(s) not Shown
	10.42.42.253=2 Port(s) not Shown
	10.42.42.50=2000 Port(s) not Shown
	10.42.42.56=2005 Port(s) not Shown


There could be false positives in there about systems doing different scans since previous connection state isn't tracked or looked at.  Just using this as a quick and dirty to find out who's doing bad things and who they are looking at.