Internet Control Message Protocol (ICMP) requests (Echo, Information, Timestamp, and Subnet Mask) are used to map network topology. Receipt of an ICMP request is classified as a normal, possibly suspicious, or highly suspicious event. Any request sent to a multicast or broadcast address is treated as a very suspicious event. Echo requests (ping) and Timestamp requests are common and are treated as normal events when they do not include the IP Options for Record Packet Route or Record Timestamp. Events are classified by the first matching entry in Table 1:
| Event | Destination address | Event classification |
|---|---|---|
| Receive any ICMP request (Echo, Information, Timestamp, or Subnet Mask) | Multicast or broadcast | Very suspicious |
| Receive any ICMP request that is denied by Quality of Service (QoS) policy | Unicast | Normal |
| Receive Information Request or Subnet Mask | Unicast | Possibly suspicious |
| Receive Echo Request with IP Option Record Route or Record Timestamp | Unicast | Possibly suspicious |
| Receive Echo Request or receive Timestamp Request | Unicast | Normal |