I'm exhausted right now and can't think very clearly so forgive me if the script for this task is obvious to some: Goal I'd like to keep a running tally/count/sum of how often each domain server <resolved target IP> is being requested by each host on my LAN <source host IP> since logging was enabled. It is not important to know port, protocol, time of day, amount of data etc. - just a crude running total that I can examine from time to time to see if any new candidates for adding to a block list have appeared. Feature Creep For requests to domain servers that resolve to specific IP addresses whether specified by IP address (e.g. 127.0.0.1 & 0.0.0.0) or by domain name (e.g block.opendns.com & custom.block.local) it would be very handy if I could OPTIONALLY keep a tally indexed by the original domain name being requested <raw target domain>. (e.g. undesirable.site.com & must.access.org) i.e. A list I could examine from time to time to see if there are new candidates for adding to a whitelist. Possible Implementation I haven't given this any more thought than imagining using an associative array with index fields as mentioned already e.g. TALLY1[<source host IP>, <resolved target IP>] - for the first type of log and TALLY2[<source host IP>, <raw target domain>] - for the second type of log. Of course I'd want these arrays to be saved to CIFS1 or CIFS2 from time to time much like the tomato_rstats_###.gz is backed up periodically. And for it to be easy to parse I'd prefer to have a host name look up array on hand to save me the further trouble of iteratively 'ping -a <IP address>' for each unique <source host IP> and <resolved target IP> NAME[<IP address>] Where I need help is being pointed in the right direction to know what basic logging tool will give me the raw data that I need for this task. And whether it is likely to be too great a load on the router or not. In case you are wondering EVERY local host is assigned a static IP address. ... and yes, I do have teenagers on the network!