workload data: challenges id and present `useful' workload metrics, particularly given persistence of fire-fighting environment id significant patterns, timeframes, correlations vary by user need change as technologies and 'net change methodology has many weaknesses dynamic port negotiation (napster) tons of `other' ports unmapped ports not really assurance/unique anyway IPSEC blows away ports anyway need traffic profiling things getting worse not better here