Hi all,

I am having troubles here with our network. Our ISP is telling us that a virus (Netsky.P) is coming from our computer. Unfortunately the "computer" is our Smoothwall (Linux Based) firewall/NAT Router which has another 30 or so PCs behind it. They can't give us any more details other then the Router IP as they don't seem to be able to dig out the internal IP address from the packets.

What I want to do is capture all the smtp and pop3 traffic and then look through it to find suspicious looking zip files that have been emailed out from our system. Does anybody have a method that will alow me to do this with email only and not with all the other network traffic that causes my captures to become massive within minutes? I've played with Ethereal and I am not having much luck with whittling the captured packets down to POP and SMTP only. Everything I do seem to involved simply hiding the rest of the packets but Ethereal is still capturing them and getting slower and slower to operate.

Alternatively, if I could find a way to scan and log every email sent for this virus directly on the SmoothWall it would be great as well. This would be the preferred method as the last time the virus was sent out was on Monday so it is pretty random.

Anybody got any suggestions??

Thanks!
Rene


P.S. I have my eyes set on a laptop that is currently out of the office, but we have been getting warning from our ISP for weeks and I have scanned all PCs including that laptop manually since then. This virus came out back in 2004 so outdated definitions are definately out of the question.