ISA can only report what it gets. The IPext..log holds that data after you apply the "block and log" fix I referenced you to. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Mon, 20 Oct 2003 09:56:25 -0700 "Ray Dzek" <rdzek@xxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Jim, Thanks for the reply, but... Neither of changes mentioned in the KB article really helps me. They stop the traffic from taversing ISA, but still do nothing to let me know who is generating the traffic. Ultimately, it was Network Monitor and using the MAC-to-IP program I pasted the link to earlier that got me the information I needed to squash the last few machines still infected. I just think that I should have been able to get this information from ISA faster and easier. ----- Original Message ----- From: "Jim Harrison" <jim@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Sunday, October 19, 2003 7:49 PM Subject: [isalist] Re: Help - ICMP Traffic Killing ISA > http://www.ISAserver.org > > Here y'go... > > http://support.microsoft.com/default.aspx?scid=kb;en-us;283213&Product=ISAS > > ..all you need is SP1 for these settings to work... > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://www.microsoft.com/isaserver > http://isaserver.org/Jim_Harrison > http://isatools.org > > Read the help, books and articles! > ----- Original Message ----- > From: "Ray Dzek" <rdzek@xxxxxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, October 17, 2003 09:14 > Subject: [isalist] Help - ICMP Traffic Killing ISA > > > http://www.ISAserver.org > > We had some visitors come in from out of town and help themselves to an > ethernet port which unleashed Welchia and Blaster on our internal network. > (Yes .. there will be public floggings at noon today). But I am trying to > track down where the stragglers are on the network that are still infected. > I have been using netmonitor and other tools to find the "screamers" on the > LAN. I was also trying to use Wintail to simply tell me who on the network > is generating the traffic. When I tail the ippextd logs, I see all the ICMP > traffic scrolling, but it all looks like it is coming from the external > interface of ISA. There is no corresponding traffic in the webextd or > fwextd logs. If I stop the fw and web services, the ippextd logs continue > to scroll with ICMP traffic. What is up? > > Thanks in advance. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* > > All mail from this domain is virus-scanned with RAV. > www.ravantivirus.com > > ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: rdzek@xxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*