okay, well, i would agree but i actually meant using heuristics to find suspicious running processes. i thought there would be an easy way to see what is logging keys, and tcpdump doesn't give the process id because of a limitation of the libpcap driver it seems. netstat would work but i think it only shows current connections, and a keylogger doesn't usually remain connected i would think. well, i will keep thinking about this.