This work addresses the limitations of traditional passive network measurement, which primarily focuses on inbound traffic and struggles to detect stealthy internal anomalies. The paper presents the first systematic approach that leverages erroneous outbound traffic—such as unanswered requests and ICMP error messages—as a lightweight yet highly informative data source. By conducting large-scale passive monitoring and correlation analysis, the method effectively identifies misconfigurations, deprecated services, and potentially compromised hosts within internal networks. Deployed in large-scale operational environments, this technique has uncovered a variety of previously undetected internal anomalies, substantially enhancing visibility into and detection capabilities for internal threats.

Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset -- what we term erroneous outbound traffic -- is a lighter and revealing yet overlooked data source for identifying a broad range of security threats and network problems. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments and compromised hosts.