Just for information - may be useful for someone. Task - we determined, that few infected machines was connected to one of our offices few days ago. They run one of this viruses, which generated a lot of scans and created sugnificant traffic (but traffic was not big enough to rais alarm on outgoing gateway). Activity was short. Computers are not connected in the time of investigation. IDS system and Cisco logs was not active in this office (few tricks with Cisco ACL's and logs allows to detect many viruses instantly; good IDS systems can do it as well). Solution: - get all port statistics from switch (using SNMPGET and using simple 'telnetting' script - we have 'RUN-cmd' tool allowing to run switch commands from shell file; - remove all ports with traffic less than some threshold; - calculate IN/OUT packets ratio for the rest of ports; - find ports, where IN/OUT ratio (IN - to switch) > 6; - in this ports, find ports with average packet size < 256 bytes; It shows all ports with infected notebooks (even if notebook was connected for a half of day). PS. Of course, after this few additional monitoring tools was installed, and we added _all_ switches and _all_ ports to 'snmpstat' monitoring system (it allows to see a traffic in real time, and analiz historical charts, including such things as packet size).