Oh geez... what a spammer.

What if I just feed a "traget" a few megabytes of suspicious-looking fodder and a couple hundred well-placed, calculated packets? Maybe even sending you legitimate traffic (oddles of FTP or Web at the same exact time, for example). And let's just say that all this traffic happens over a few days or weeks or even months? Record all you want... and I wish you luck finding anything I really want hidden. The only thing the "replay" might buy you, if you're lucky, is finding out how (or when) I got in... but overall it'll take you longer to find by that method than any reasonably senior/knlwedgeable admin and a good "sense" about a machine, overall.

And, well, if you have to spam about to to sell it to security-minded folk, well, it must suck...