hi .. i'm a provider and there is a virus on my network .. i dun know which ip is the real infected one .. i added a firewall filter to block the virus but i really need to identify which ip how can i do that PLZ HELP

Use torch to watch for traffic that matches the ports you're experiencing problems on:
It'll display, among other things, the IP addresses of the clients participating in traffic that matches those parameters.

ok thnx i'll try that but is there a more simple way like a firewall filter or a mangle rule to identify which ip/ips that has/have the virus cuz i have too many clients and it's hard to detect the infected one :S

I guess that if you know the ports used by the virus, then you could just set up a line in your firewall to log all traffic through these ports.

line like what .. give me an example plz .. suppose the virus port is 445

if you have a firewall rule already dropping the traffc, copy the rule and change the action from drop to log. voila

First, if you are not already dropping traffic to/from the netbios ports, you should do that. If it is some virus that does not spread using netbios, then you should identify the traffic with either torch or a firewall rule that logs traffic. Something like the following will give you a log rule: That is likely to generate a LOT of traffic. You can tune the above rule to narrow down what traffic you are looking for with the log action.