Network scan sensing is a primary means to counteract cyber attacks. To this end, this paper focuses on the IP addressing and routing forwarding mechanism at the network layer, the TCP/UDP port status detection logic at the transport layer, and the service interaction protocol characteristics at the application layer within the TCP/IP protocol stack. It proposes and implements a low-cost, multi-threaded software scan sensing method with visualized results. This method integrates multi-source data analysis strategies including IP address traceability and target port access characteristics, and achieves accurate perception of port scanning behaviors through a dynamic threshold model and multi-dimensional risk assessment rules. Based on the perception of a certain range of ports in a specific region by this method from the 26th to the 28th, data analysis shows that under the preset abnormal judgment rules, abnormal scans account for 18.4%-19.1% of the total scan volume. The period from 22:00 to 24:00 every day is the peak period, with attacks concentrated on ports such as 443/TCP, 80/TCP, and 53/UDP, and attack sources showing geographical aggregation characteristics. From the above results, it can be concluded that port scanning behaviors have the common characteristics of concentration in time, ports, and attack sources.