On Sun, 6 Oct 2013, megadave wrote: > Are these fully established connections? If not, perhaps they are SYN > attack with a spoofed source address. > Interesting possibility, .. how would one go about delving deeper? Would it not have to originate somewhere on the local subnet? Lee