Content here removed by original poster. ---- See also: [fileevent] See also: [Port scanning in tcl] ---- [TP] 14Sep2005 If your purpose is to detect malicious scanners, perhaps make it somewhat painful for them, by leaving the socket open for a bit? Replace close $cid with: set some_pain [expr {60 * 1000}] after $some_pain [list close $cid] fileevent $cid writable {} Optimally, you wouldn't leave sockets open, chewing up resources. I once attended a talk by Marcus Ranum [http://www.ranum.com/] where he described changing kernel TCP code to send back the TCP handshake, but otherwise ignore the connection. No need to play fair with scanners. ([SS] I don't know what is the date of the Ranum's talk, btw I think I was one of the first to propose this a lot of time ago, see http://seclists.org/lists/bugtraq/1999/Jul/0150.html) ---- [SS] Another interesting approach can be to open tcpdump from Tcl and analyze the traffic. Btw port scanning detection is nearly useless, if the server is secured against known attacks to know that somebody is scanning you is not needed, if the server is insecure what to do if somebody is scanning you? To close all the services causing an auto-denial-of-service? ;) ---- [Category Application] | [Category Internet]