We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


How to set up logging for port 25 to find a virus on network

Medium Priority
Last Modified: 2013-11-16
I have a virus on the network some place that keeps sending out .zip files and causing the email server to be blacklisted.  How do I set up logging  on ISA server 2004 for logging of port 25.  All directions I have found on this venue have not worked.   I do not have an SBS server - I have windows 2003 server, exchange 2003, isa server 2004 - all windows xp pro clients.  For example:

Doesn't have to be from a source port of 25 - it is the destination port you need to be more concerned over.

open the ISA gui
select - monitoring - logging
On the right, click edit query  (I do not have Edit query)  I have Edit Filter and followed the directions with that
Change the action to destination port  =  25
Click update
Change the time value to past 7 days  (I do not see a change the time value to past 7 days)
clicl uypdate
click start query  - I start query - but it just keeps "fetching results" forever

is any device listed as the source that is other than your SBS server?
Watch Question

TCPDUMP is generally useful anytime you need to find out where traffic is coming from on a network. If you don't have much Linux-fu you can also try WinDUMP. You'll need WinPcap as well. learn more here:

There are elegant ways to deploy this in your network, but a straight forward, albeit ham fisted way is to have a PC with at least two network interfaces on it configured as bridge interfaces. This effectively lets your monitoring PC running TCPDUMP to sit on the wire between your server and the switch port it connects to.

There are all kinds of rules you could apply to match and log traffic of interest. For example
# tcpdump -vv src or and dst port 25

This would log all traffic that originated from either of the specified network address ranges if that traffic was going anywhere with a destination port of 25.  Really, any combination of protocols and network source and destinations can be used as matching criteria, so if you want more targeted logging of network traffic, TCPDUMP is a great choice.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


I went to the site, downloaded the tcpdump - let it run - but it only takes me to a web page when I click on it.  There is nothing there.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.