I run ipfilter, for all the obvious reasons.  But ipmon sometimes shows 
me phantom packets -- packets that had to have been received a long 
time ago.  For example, right now I'm seeing things like this:

Jan 17 22:04:18 berkshire ipmon[136]: 18:46:53.398760              wi0 @0:35 b 18.80.3.173,timed -> 18.80.255.255,timed PR udp len 20 26624  IN 
Jan 17 22:05:28 berkshire ipmon[136]: 18:47:01.079951              wi0 @0:35 b 18.80.1.128,631 -> 255.255.255.255,631 PR udp len 20 28928  IN 
Jan 17 22:06:38 berkshire ipmon[136]: 18:47:06.816837              wi0 @0:35 b 18.80.3.228,who -> 18.80.255.255,who PR udp len 20 1  IN 
Jan 17 22:07:49 berkshire ipmon[136]: 18:47:24.123376              wi0 @0:35 b 18.80.2.95,631 -> 18.80.255.255,631 PR udp len 20 33792  IN 
Jan 17 22:08:59 berkshire ipmon[136]: 18:47:31.969974              wi0 @0:35 b 18.80.1.128,631 -> 255.255.255.255,631 PR udp len 20 28928  IN 

My wi card isn't even plugged in now; I disconnected it about 90 
minutes ago before heading for my hotel room.  I'm not connected to 
*anything* right now, not even the power grid.

So -- where are these packets coming from?  Alternatively, where have 
they been hiding, and how are they originating on a network that 
currently doesn't even exist?

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com