The solution lies in the following: You can never have more than one connection to one port. The sniffer has left some parts out, because the connections are not really to the :80 port, but dispatched to another, higher number. However, the from port is such a high number, so we can assume that's the real (dispatched) port.

Take your example:

*snip* from=(111.111.111.111:1234) to=(22.22.22.22:80)
*snip* ASCII ... from=(111.111.111.111:1234), localport=(80), *data he
+re*
*snip* from=(111.111.111.111:1234) to=(my.box.ip.addr:80)
*snip* ASCII ... from=(111.111.111.111:1234), localport=(80), *data he
+re*
[download]

Because there can only be one connection from the :1234 port, the connection to 22.22.22.22:80 must be broken before the connection to my.box.ip.addr:80 has been made. On basis of that you get:

$_ = <INPUT>;
m/.*?\(([\d\.\:]*)\).*?\(([\d\.\:]*)\)(.*)/;
( $2 =~ m/:/ ) && ( $mine{$1} = ($2 eq $mybox) ) ;
( $2 =~ m/^\d+$/ ) && $mine{$1} && print $3;
[download]

Hope this helps,

Jeroen
I was dreaming of guitarnotes that would irritate an executive kind of guy (FZ)

Update: chipmunk pointed to some typos. Thanx! Furthermore, I rewrote line 3, it's cleaner now.