A central syslog and firewalled 8291 ports with logging would be a better solution imho :) Grep seems less of a strain than tshark and would be quicker I imagine

If you would want to do this permanently, yes. But this is only something I would run maybe for 3-4 days and then be bored.

First night I did the tshark logging without the postprocessing (so file gets the 1-line-per-packet trace info) and it collected 500MB in a single night. Maybe you don't want that all in the syslog... Now I keep only the source addresses,

Rob