Many times as a security analyst, you see some kind of interesting traffic and wish that you had the time or resources to investigate it or understand it better. You have a much better chance of being able to do this if you are in a research position rather than a busy operational environment where your exclusive purpose is to make sure that no unauthorized access occurs.

One such opportunity to do analysis of an event of interest arose at a site where Shadow was used to capture traffic. The site was the target of some extensive unexplained activity directed at TCP destination port 27374, which is often used by SubSeven. ...