Yes its packet time.  Here are some packets that I would like to throw out there to see what folks are able to come up with.  You will need your favorite tool to read the file as it is a raw packet capture.  This is exactly what we were initially given to work with including the source and destination IPs being obfuscated.  I will give you a couple of clues from later captures we received that will help clarify but you don't really need them.  The source IP does change but the destination IP does not.  The destination IP is a primary DNS server.  Everything that you need is contained in these packets.  You should be able to come up with an general idea of what is going on.  Is this an attack, scan or normal network traffic?  Please explain briefly how you came to your conclusions.  If you want to try this, but don't want to be mentioned in the future diary writeup with the solution, please let me know.  I'll post the answer in a few days and explain how we came to our conclusions and how it was verified with a later capture.  Have fun!!!