How can packet sniffing help find the problem?
Back
How can packet sniffing help find the problem?
For experienced administrators, a packet sniffer is a useful option to track down undesired network traffic. The key feature of a packet sniffer is that it captures data as it flows across a network and makes it available for review. There are many such tools available, both paid and free of charge.
- Wireshark and tcpdump are free of charge. A web search for “packet sniffer” or “network sniffer” will find many other options.
Some Wireshark usage suggestions to help track unwanted traffic to port 25
- Capture filter options – set to: port 25
- Display filter – set to: smtp.req.command == "HELO" or smtp.req.command == "EHLO"
- If the exact HELO string to look for is known: {smtp.req.command == "HELO" or smtp.rec.command = "EHLO) and (smtp.req.parameter contains "[HELO string]")
NOTE: Ensure that the above is adjusted so it only applies to sessions that are initiated from the problem IP – not to the IP.
This may work:
- ip.src == "insert problem IP"
If the packets being captured are carefully reviewed to locate anomalies, it should be possible to identify where they are coming from.
Back