From: Oliver Friedrichs <iceman@MBnet.MB.CA> Subject: Re: port scanners/ICMP port unreachable Date: Tue, 28 Mar 1995 21:08:51 -0600 (CST) > On Tue, 28 Mar 1995, Dan Pollack wrote: > > icmpinfo only catches incoming icmp messages - in this case we're > looking for outgoing port unreachable messages - to detect someone trying > to connect to an invalid port. I noticed that, then just went to a SunOS 4.1.3 machine with /dev/nit and ran # etherfind -proto icmp Works like a charm. Then just: # egrep unreach /var/tmp/icmp.scan ICMP from zeus.cs.uh.edu to UTKCS2.CS.UTK.EDU dst unreachable bad port ICMP from 192.40.201.3 to CS.UTK.EDU dst unreachable bad host Pipe it through sort and it groups by originating hosts, etc... -- Andrew E. B. Cowell <cowell@cs.utk.edu> | "And the mountainside opened, a Sys Admin, Computer Science Department | moment to pray for all the souls The University of Tennessee, Knoxville | he'd come to save...now he couldn't WWW: http://www.cs.utk.edu/~cowell/ | save himself" [Legendary Pink Dots]