Most of the traffic here has been introductions, which are all well and good, but yow, are we detecting any intruders yet? I'm going to throw out a couple of "things to watch for" on an IP link, and hope to see a lot more of it discussed. I used to work at FTP Software, and used their net monitoring product with a bunch of configured filters [well, where a "bunch" maxes out at four] to watch for certain types of packets I was interested in. I'd leave several PCs running these "evil detectors", logging things matching their criteria to the disk for later perusal, and sometimes use "snoop" for more complex stuff. For instance: any NFS traffic coming from "outside". source routed packets. [ ip[0] != 0x45 ] "Inside" machines answering "outside" TCP [i.e. outgoing ACK SYN], perhaps limited to high ports <--> high ports [good for finding muds, random X traffic, or that instant root shell backdoor someone left running on your Marketing server]. High UDP ports <--> high UDP ports [traceroute, FSP, ntalk [?]]. Transit traffic. [src and dst not for local network] May also indicate packet fakery going on. Other people might have much more sophisticated gear by now, and can configure their firewall machines to log anything that violates their filtering policies. Would some folks posessing experience with this newer equipment care to pipe up about the things they've observed? _H*