> I was figuring I could sniff the packets leaving my > network and look for ICMP port unreachables since it would be > a dead giveaway that someone was trying to light up the TCP ports > of one of our computers. > I figure it shouldn't be too much work to write a quick program > on top of libpcap to do this. Has someone written a package like this? > Is there a better way to watch for scans like this? I sure don't want > to have each computer listening to all ports and logging each > connection. /etc/inetd.conf from hell. =) > Why not simply use a 'sane' implementation of ICMP class filtering, such as offered in cisco IOS 10.3, to simply block specific classes of ICMP traffic? Great taste, Less filling. - paul _______________________________________________________________________________ Paul Ferguson US Sprint tel: 703.689.6828 Managed Network Engineering internet: paul@hawk.sprintmrn.com Reston, Virginia USA http://www.sprintmrn.com