> It also explains that at least the rule 3 in Vern's paper cannot be > implemented since it has to be operated in in-line mode. But how the first > two rules? That paper focuses on in-line network processing: none of the rules in it help thwart evasion for passive monitoring. Vern