On 12/03/2014 11:12 AM, SilverTip257 wrote: <> > Maybe. > A bit odd since that's assigned as Comcast VOIP and not a > static customer block. this is true. > I'd dump the traffic with tcpdump or wireshark and analyze it. i have a text file saved. see below which "save as" form should be used to reload into wireshark without loss of information? > What type of traffic is it? > (transport layer protocol, as well as application protocol > -- ex: HTTP is TCP port 80) see below. > Are there any DNS queries that happen prior to the spike? > Use wireshark to capture them and that might give a clue. see below. > You could also use nethogs to diagnose and determine what program is > causing the spike. > http://nethogs.sourceforge.net/ will have to install. *BELOW* i should have done this before posting. :-( i loaded wireshark text file to: http://pastebin.com/rCU0CC10 -- peace out. in a world with out fences, who needs gates. tc,hago. g .