A little while ago, I had reason to believe one of the machines on
our subnet had been broken into -- the subnet was flooded with
messages from a numerical IP not on our net, to a named host not on
our net.  And the numerical IP would change every 20 packets or so.

  Is there a flag to tcpdump that says, print out the ethernet address
of the sending machine, so that I could tell which of the 200 or so
machines on the subnet was responsible?  Is there any good
method/program for translating Ethernet addresses to IPs?  arp looks
like it'll only do the reverse, and arp -a will only show current cached
ARP entries, not all entries for the whole subnet.

  Fortunately, the flooding stopped, but it could start up again any
minute now....

  Brian