So we experienced high utilization that disappeared only when we
unloaded
ipflt, and we found Craig's info on
http://nscsysop.hypermart.net/virus.html
that led to solving the problem - we removed the icmp filter exception
and
voila, all better. And we're dealing with the infected computers on
the
network

But here's what I don't get (please forgive my only basic
understanding of
filters and filter exceptions):

So we have infected computers that are trying to ping all over the
place.
And we had a filter exception in BM that allowed the pings to go out
and
come back, and that was making a mess of the BM server, and so
removing the
filter exception has fixed things (and yes, as Craig predicted, we now
see a
disparity in received vs transmitted packets).

What I don't understand is why utilization dropped when, during
troubleshooting, we simply unloaded ipflt. In my mind that means we
are
turning off filtering, which means that all of the virus-based pings
would
still have been shooting from infected computers out onto the
Internet, and
should not have affected performance.

This is only a question for understanding - the problem is solved.
But I am
curious as to why/how this all works.

Thanks!
jtf