Depending on how your upstream is set up, it could be OSPF, for example. To see a what it is you're capturing, set up logging to a syslog host, and add "log" to the end of the drop line deny ip any 20.0.0.0 0.255.255.255 log and you'll see the protocol number reported in the logging output. To see a list of the port numbers, you can look at any IANA mirror. The document you want is located at http://www.amaranthnetworks.com/ietf/iana/assignments/protocol-numbers on my mirror. There are presently assignments from zero to 119. There are lots of possibilities. OSPF is one that sometimes wanders over lines from upstream providers to downstream sites, for example. Dan -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com