hrm, the techs shouldn't be plugging in their laptops like that, but you never know. hehe, I wouldn't doubt it at all because I know how they are

I'll go through the ARP entries on the router this afternoon and see what I can do to track it to someones machine. I've also set up some scripting on the nearest IDS box there that will trigger a sniffer that is now on that network to watch the traffic so I can take the packets apart and figure out what is really going on there.

oh yeah, I have over 4000 of those entries on each of my IDS boxes and they are all the same address and ports. They all happened in large chuncks, like 2000 policy violations in a 300 second period, followed by 1200 in another 300 second period. followed by 800 in a 300 second period. Then a few sporadic ones or twos that happened over a few hours time.