[jeffgrant]

Also, you can accomplish the same thing by running something like Wireshark on your upstream box and capturing 20 mins of packets for analysis. Or, if you're running some semi-professional network gear, clone the appropriate upstream port on your firewall and use a separate box to capture the traffic so it won't interfere with your system. (Sometimes the act of measuring or monitoring stuff can adversely affect things to the point where the problem won't manifest any more).

You can fairly quickly track the sessions and look for ones that have abnormally long durations, cut them out of the data, and take a really close look at what's going on at a packet level.

That's where I'd start.