Spamhaus Project
IP and Domain
Reputation Checker
1

How can packet sniffing help find the problem?

Back

How can packet sniffing help find the problem?

For experienced administrators, a packet sniffer is a useful option to track down undesired network traffic. The key feature of a packet sniffer is that it captures data as it flows across a network and makes it available for review. There are many such tools available, both paid and free of charge. 

  • Wireshark and tcpdump are free of charge. A web search for “packet sniffer” or “network sniffer” will find many other options.

Some Wireshark usage suggestions to help track unwanted traffic to port 25

  • Capture filter options – set to: port 25
  • Display filter – set to: smtp.req.command == "HELO" or smtp.req.command == "EHLO"
  • If the exact HELO string to look for is known: {smtp.req.command == "HELO" or smtp.rec.command = "EHLO) and (smtp.req.parameter contains "[HELO string]")

NOTE: Ensure that the above is adjusted so it only applies to sessions that are initiated from the problem IP – not to the IP.

This may work:

  • ip.src == "insert problem IP"

If the packets being captured are carefully reviewed to locate anomalies, it should be possible to identify where they are coming from. 

Back
Spamhaus Project

© 2022 Spamhaus. All Rights Reserved.

  • FAQs
  • Privacy Policy
  • Cookie Policy