Netcat by itself does not probe for vulnerabilities, despite what various clueless media people have said about it. Read the README. Everything depends entirely on the script you wrap around it. The included "probe" script is just an example. If it's any help, the same idea is behind some of the SATAN backend tools -- a generic connection handler you can push whatever application-level data through and collect output. The construction of said data is handled externally. Detection can be done just like you'd do any other kind of detection. Looking for sequential port scans is probably the wrong approach, and can get very noisy. Rather, try deliberately setting up some known passive endpoints as traps and monitor for any traffic to those. [Definition of an "endpoint" left to the reader.] Of course if you want to tailor some of said traps to what the example script does, go for it. Never know what kind of ankle-biters might show up... _H*