what does the icmp_time_exceeded event mean?

It's its own ICMP message (it indicated a datagram whose TTL expired, so
for example traceroute uses these) - it does not have any relationship to
other ICMP's timing out.


hi vern

isn't there a possibility (an event) to recognize icmp requests dropped
by the firewall. like the event connection_attempt in case of tcp.
for example this would be useful to detect the welchia worm which scans
for victims via icmp.


Zitat von Vern Paxson <vern@icir.org>: