Description: Answer 1 - A large number of packets with the SYN flag are sent with the IP 10.42.42.253 to 3 different IP addresses. This is a clear indication that someone is trying to establish a connection with services on other IP addresses. While packets are sent out from the other IP addresses, the numbers sent are nowhere as large as those sent from 10.42.42.253. Hence this is Mr.X's IP Address? Answer 2 - A SYN(Half/Full) Scan effectively means, I send a packet out with the SYN Flag set in a packet to the service I want to connect to. So if I send a packet to port 23 on your machine with the SYN Flag set, I'm trying to connect to something running on port 23 of your machine. If that something which is running sees this packet, please let me know and send back a packet with your own SYN to connect to me and send an ACK saying you received what I sent. Once I get this I know that I can a)Connect to you. I can choose to send back an ACK for your SYN if I want to send data and continue the conversation b)Send an RST saying; fine I'll connect later - but I know you're open. All of Mr.X's initial conversations are in category a thus making it a TCP Connect (Full) Scan. Answer 3 - Once you narrow down the IP address of Mr.X's scanner and check what all addresses he has sent packets to. You find that he has sent large numbers of packets to 3 other IP addresses. These 3 hence are the IP addresses found ; those are listed above. Answer 4 - The first 6 digits of any MAC address reveal the manufacturer of the network card. Every IP address will have a corresponding MAC address(bad way to put it but easy while explaining ;) ). So if you look at one of the MAC addresses ; it has 6 starting characters as 00:16:cb. Looking up the manufacturer who makes cards with these numbers on any site online ; for eg. http://www.coffer.com/mac_find/?string=00:16:cb -- Reveals Apple Computer INC. hence proving this is the Apple system. A point to Note is that MAC's can be spoofed but considering that this machine is the target and not the attacking machine it seems rather unlikely. Hence we can conclude that this is indeed the Apple machine. Answer 6 - I got Answer 6 first by looking at the ports open on the remote system. If you look at what ports have responded with a SYN-ACK as explained in Answer 2 to 10.42.42.253 you'll find just 2 unique responses - 135 and 139 and both from 10.42.42.50. Considering the fact that one is an Apple system and the other system has not sent any SYN - ACK's back we can conclude that this is the only system which seems to have any open ports. Answer 5 - Apart from the reasoning in Answer 6 which clearly shows which is the Windows system, its also a known fact that ports 135 and 139 are always open on a Windows system for RPC and Netbios services to be running. Hence we can safely assume that this indeed is the Windows system.