Hi John, > With the upcoming release of SATAN and the availability > of programs such as strobe by Julian Assange (proff@suburbia.apana.org.au) > I was wondering if anyone has created a sniffer that looks for > ICMP port unreachables. > I was figuring I could sniff the packets leaving my > network and look for ICMP port unreachables since it would be > a dead giveaway that someone was trying to light up the TCP ports > of one of our computers. > I figure it shouldn't be too much work to write a quick program > on top of libpcap to do this. Has someone written a package like this? > Is there a better way to watch for scans like this? I sure don't want > to have each computer listening to all ports and logging each > connection. /etc/inetd.conf from hell. =) You might want to give icmpinfo a try. It is a neat little program that gives very good info on icmp traffic. You should be able to get the latest version at hplyot.obspm.fr:/net/icmpinfo-*.tar.gz. You might also look at http://www.obspm.fr/~dl/ which is the authors home page and has a hypertext version of the man page. Later, Dan-o ###################################################################### # |Dan Pollack UNIX System Administrator, SAIC| # # |dpollack@nawc690.chinalake.navy.mil| # # The sea was angry that day my friend, like and old man trying to # # send back soup at a deli. - George Costanza # ######################################################################