This the command I use to track down P2P conenctions through my networks:
ngrep -t -d ETH00:00 -q -i -W single -l \
Note: it should all be on one line.
-i is ignore case
-w is word-regex (expression must match as a word)
-l is make stdout line buffered
-t is print timestamp every time a packet is matched
-W is set the dump format (normal, byline, single, none)
-d is use specified device instead of the pcap default
Bad Behavior has blocked 45 access attempts in the last 7 days.