Re: port scanners/ICMP port unreachable
Dan Pollack (dpollack@nawc690.chinalake.navy.mil)
Tue, 28 Mar 1995 11:34:39 -0800 (PST)
Hi John,
> With the upcoming release of SATAN and the availability
> of programs such as strobe by Julian Assange (proff@suburbia.apana.org.au)
> I was wondering if anyone has created a sniffer that looks for
> ICMP port unreachables.
> I was figuring I could sniff the packets leaving my
> network and look for ICMP port unreachables since it would be
> a dead giveaway that someone was trying to light up the TCP ports
> of one of our computers.
> I figure it shouldn't be too much work to write a quick program
> on top of libpcap to do this. Has someone written a package like this?
> Is there a better way to watch for scans like this? I sure don't want
> to have each computer listening to all ports and logging each
> connection. /etc/inetd.conf from hell. =)
You might want to give icmpinfo a try. It is a neat little program
that gives very good info on icmp traffic. You should be able to get
the latest version at hplyot.obspm.fr:/net/icmpinfo-*.tar.gz. You
might also look at http://www.obspm.fr/~dl/ which is the authors home
page and has a hypertext version of the man page.
Later,
Dan-o
######################################################################
# |Dan Pollack UNIX System Administrator, SAIC| #
# |dpollack@nawc690.chinalake.navy.mil| #
# The sea was angry that day my friend, like and old man trying to #
# send back soup at a deli. - George Costanza #
######################################################################