His bandwidth then drops to 0 for almost exactly 30 minutes (MRTG isn't an exactly graph). My guess
Still using MRTG? Have you read this? http://www.mit.edu/~rbeverly/papers/rtg-lisa02.pdf Or this? http://rtg.sourceforge.net/docs/rtgfaq.html Have you checked the price of 200 gigabyte hard drives and calculated how long it would take to fill one if you were saving everything RTG could collect? Seriously, how much do you risk losing over one incident like this where you don't have the data to show your customer exactly what happened and give them the impression that you are an amazing TCP/IP guru? MRTG is utterly obsolete; replace it! http://rtg.sourceforge.net And if you can't make it to every NANOG meeting, then do check the website for useful presentations like this one http://www.nanog.org/mtg-0302/ppt/beverly.pdf --Michael Dillon P.S. considering the price of huge disk drives, I'd even consider setting up a system to capture traces of all the traffic whenever a traffic anomally occurs. That way you have even more useful info for a post mortem analysis.