This graph was generated with psad (http://www.cipherdyne.org/psad/) running in --CSV mode against the iptables logfile that is distributed as a part of the Scan34 Honeynet challenge (see http://www.honeynet.org/scans/scan34/). The graph shows 92-byte ICMP type 8 packets directed against the Honeynet subnet 11.11.79.0/24. These packets are most likely associated with the Nachi worm (see http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_security_notice09186a00801b143a.html). Here is the specific command used to add the 92-byte search criteria:
# psad --CSV -m iptablessyslog --CSV-fields "src dst ip_len:92" --CSV-max 300 \
--CSV-regex "PROTO=ICMP.*TYPE=8" | perl afterglow.pl -c color.properties |neato -Tgif -o nachi_worm.gif