Loadsa ICMP...

Aug 13 18:35:58 permitted icmp 205.139.170.70 -> 192.41.177.255 (8/0), 9999 packets
Aug 13 18:35:58 permitted icmp 193.132.24.178 -> 192.41.177.255 (8/0), 8819 packets
Aug 13 18:36:38 permitted icmp 128.83.42.2 -> 192.41.177.255 (8/0), 225 packets
Aug 13 18:39:59 permitted icmp 134.115.226.26 -> 192.41.177.255 (8/0), 9051 packets
Aug 13 18:39:59 permitted icmp 194.128.134.47 -> 192.41.177.255 (8/0), 9327 packets
Aug 13 18:43:59 permitted icmp 149.112.125.54 -> 192.41.177.255 (8/0), 8722 packets

[ some others snipped out ]

Now if only Cisco's let you obtain a "src_hardware_addr" :frowning:

Lyndon Levesley
Xara Networks

[...]

Aug 13 18:43:59 permitted icmp 149.112.125.54 -> 192.41.177.255 (8/0), 8722 packets

  8/0 is 'echo request', according to trusty old
/usr/include/net_inet/ip_icmp.h (Solaris 2.5.1)

[ some others snipped out ]

Now if only Cisco's let you obtain a "src_hardware_addr" :frowning:

  doesn't the 'log-input' keyword log the input interface? at
the end of the access-list rule.

  or, copy the access-list to another access-list number, and
use different access-list numbers on different interfaces.

  (if you don't need the input interface at all, but the source
host, then some type of packet sniffing is the only way to go.. sorry
I can't help..)

  And here's something that I wrote up, it's an idea to stop
the flood...

"
  Policy routing is fast switched in the right IOS revs (I
think starting at 11.2(6)F). Your config would look something like
this:

!
access-list 101 permit icmp any any echo-reply
!
route-map KILLICMP permit 10
match ip-address 101
set interface Null0
!
!
interface hssi 5/1/0
ip policy route-map KILLICMP
ip route-cache policy
!

"

  Since denying on an ACL is process switched, and kills your router,
the goal is to make your router fast-switch the packet to /dev/null...
aka Null0.

  Thanks to Barry Raveendran Greene <bgreene@cisco.com> for this
one. I don't know for sure if it works, as I haven't had a chance
to try it, but if it does, let me know...