Hi folks, I'm not really an newbye with Linux or SuSE but I'm not too deep in the matter so I need a helping hand. I've got a home-lan which consists of a Win2Kpro plus a Win98se workhorse and a notebook with SuSE 7.2 on it. Then there is an SuSE 7.0 "server" that manages T-DSL dial-on-demand as well as packetfiltering by SuSEfirewall2. The whole stuff runs nicely. :) Now I lately looked in the /var/log/messages and found masses of: --------------------------------------------------------- Oct 24 06:30:54 februar kernel: Packet log: input DENY ppp0 PROTO=6 61.210.24.153:61479 217.80.104.240:6680 L=48 S=0x00 I=64130 F=0x4000 T=108 SYN (#77) Oct 24 06:30:57 februar kernel: Packet log: input DENY ppp0 PROTO=6 131.113.98.178:32988 217.80.104.240:6680 L=48 S=0x00 I=8821 F=0x4000 T=110 SYN (#77) Oct 24 06:30:57 februar kernel: Packet log: input DENY ppp0 PROTO=6 61.210.24.153:61479 217.80.104.240:6680 L=48 S=0x00 I=64279 F=0x4000 T=108 SYN (#77) Oct 24 06:31:03 februar kernel: Packet log: input DENY ppp0 PROTO=6 131.113.98.178:32988 217.80.104.240:6680 L=48 S=0x00 I=17013 F=0x4000 T=110 SYN (#77) Oct 24 06:31:03 februar kernel: Packet log: input DENY ppp0 PROTO=6 61.210.24.153:61479 217.80.104.240:6680 L=48 S=0x00 I=64570 F=0x4000 T=108 SYN (#77) Oct 24 06:31:15 februar kernel: Packet log: input DENY ppp0 PROTO=6 131.113.98.178:32988 217.80.104.240:6680 L=48 S=0x00 I=31093 F=0x4000 T=110 SYN (#77) --------------------------------------------------------- The source IPs change a lot. When I restart pppoed this flood is stopped for some time. Then it comes again and increases in volume. Currently I get a hit every second or so. At least tail -f /var/log/messages updates the screen at this rate. Threre are 3 little problems with this. 1) My Dial-On-Demand doesn't shut down since ppp0 doesn't idle 2) My poor old server's harddisk keeps clicking all the time 3) It bugs me that I don't know whats going on =8-} Though I have Morpheus and Bearshare on my Win2K box both weren't running since my last connect to the internet. There must be something in here which temps all the folks to sniff at port 6680 of the router. Could someone think of a way I can trace the application in my LAN that calls it's buddies ? Maybe it's a freak service of Win2Kpro ? I'm rather sure I have no linux daemon running on port 6680. Even if I had the hits are denied anyway. regards andreas