On Tue, 28 Mar 1995, Paul Ferguson wrote: > Actually, I did understand what he meant. My reply was to to simply > use a method to drop all ICMP traffic prior to entry. Scenario: Someone attempts to open a TCP connection to host "secure" on port 3254 (or some other random number), where there is no service running. This person is attempting to scan the host looking for running services. Since there's nothing running on that port - "secure" will return an ICMP port unreachable packet. Our program is watching all traffic to and from "secure" and looking for outgoing ICMP port unreachable packets that meet our requirements. We now know that "Someone" has tried to connect to an invalid port. - Oliver