Not exactly a security matter but I have tried other forums with no luck -

My problem - identifying traffic bringing up router

I can't get DSL or Cable modem in my area, so have ISDN. ISDN account is for 200hrs. / mo.
and $.50 / hr. over.

My first eight months were uneventful but about three months ago my router started coming
up by itself and staying up even though I am not running anything that I think would / should
bring up the connection - costing me a boat load of extra $$ and I don't want to have to shut off the router all of the time.

During the first eight months I started leaving my machines on all of the time more and more
and increasing the router timeout eventually bringing it to 6 hours to avoid excessive connection charges from telco. When I started seeing this problem I started sniffing the network and bringing the timeout down, now currently at 15 min. but connection stays up anyway. Sometimes I telnet to router, bring down the connection and watch it come back up within seconds by itself.

My setup - 1 Mac OS9.X, 1 W2K Advanced Server, 1 XP Home Ed.,
1 Redhat 7.3, 1 FreeBSD 4.7, 1 Smoothwall FW & Netopia ISDN router, 3Com 10/100 hub.

My question - I am using Analyzer on the W2K box and I have tried sniffing for different combinations of traffic like Mac layer - all traffic, Network layer - IP traffic, Transport layer - TCP and UDP traffic and Application layer - NetBios traffic. I have found some things that may have been a problem and made a couple of rules in my FW to block outbound NetBios and turned off WINS at the W2K server but am still having the problem. And Analyzer has a timestamp problem that makes it hard to correlate events!

Can anyone give me a tip on what to sniff for or anyone have any insightful wisdom to share???????