Portscanning is a common activity of considerable importance.It is often used by computer attackers to characterize hosts or networks which they are considering hostile activity against. Thus it is useful for system administrators and other network defenders to detect portscans as possible preliminaries to a more serious attack. Thus it is of considerable interest to attackers to determine whether or not the defenders of a network are portscanning it regularly. A major difficulty with detecting these portscans on high-speed monitoring point is that the traffic volume on high speed links can be tens of gigabits per second and can contain millions of flow and high volume of traffic. This data set is sometimes too large for us. Fortunately, samplings a typical solution for this problem. So it is usually to employ a sampling method to reduce the data set first. There have been many alternative sampling methods. In this paper, we use a simple and appropriate sampling technique for portscan detection, which we call threshold sampling. It can select large prior to small ones. Meanwhile, it can control the resources consumed by adjusting the threshold. When portscans happen in a network, the attacker always sends flows with only one packet. We hope to pick out these flows applying threshold sampling. We need to select the small prior to big ones. we compute the reciprocal of each attribute as the new attribute. In a word, we employ a mapping from the old attribute to the new one. Then we can employ the sampling. With the reduced data set, we can detect ports scanners more easily and quickly. This is a good preparation for detecting ports can. Whatpsilas more, we introduce a new way to identify ports scanners. As the host which scan large number of different destination IP addresses and ports is probably a ports scanners, we can compute the entropy of each host, which reflect the distribution of its destination IP addresses and ports. The experimental results show that datum from the sample also can tell which hosts are port scanners accurately. We will see that the attackerspsila entropy for destination IP address is bigger than others clearly.