Well guess I'll put in my 2 cents in this topic. I would argue that the best resoult would be obtained by using a modified tcp wrapper as *Hobbit* did to suck the packets comming in to well known ports *and* to log the generation of ICMP port and host unrechable messages. They could be doing an all port scan and scanning blindly for hosts with no qualified domain names. a1 http://underground.org/