Horse: Thats why I told him to slap a hub in the system with the sniffer box and the offending box connected to it. Failing that, there is always a bottleneck at some point on the way out to the internet. Stick the hub there so you can see all inbound and outbound traffic, (especially since he isn't firewalled...... Hell, what Unhappy will see there will justify the purchase of something to block the outside world......). Then he can sniff the moron till the cows come home.
Yeah, I'm a PureSecure fan but I use it only for the "real-time" view. I use plain snort -> syslog for the detailed/archive logs. I like the interface on PureSecure in so far as it allows me quick access to recent events and some summary data etc. too. I also use the HIDS on all my public and AD boxes and I really like the system monitoring. All my public services are checked every 5 minutes as are all my routers throughout the entire WAN. It's kinda nice knowing that I know of a failure in less than 5 minutes and being able to tell callers, "Yep, I know... Working on it"...... makes them think you are an all-seeing Demi-God....... ;)