I don't think the guy wants to capture the entire session just know when a connection is active and how to block. iPlayer, 4OD etc all use *.edgefcs.net If it were me I'd set up stuff in IPTables, Snort/PSAD and Squid to log. block the source and possibly the application/x-shockwave-flash mime type You can then explicitly allow any required sites. Kris