I have been seeing some unusual IP activity on a terminal server
and was wondering if it's possible to set up a sniffer off of a
dial in port????

There is an IP address appering in the log files of the terminal
server that does not belong, looks kinda like:

123.123.123.123 is a normal address on the terminal server and
along comes 234.234.234.255 (broadcast). The address in question
never goes out of the terminal server into the real network and
appears to be coming from a dial up connection.

Earl Pray, Network Analyst, Information Warfare Security Center
praye@moriarty.dcsint.5sigcmd.army.mil