Lets say you get a notice from your ISP or somebodys has reported some weired activity on the Network and it appears a PC is sending out spam email. How can one use wireshark the Network Capture Tool to figure out which computer the spam is coming from?
WireShark
Some feedback responses to the question.
-
I usually only allow SMTP traffic to flow from one device on a network, the mail server. You are looking for port 25 traffic for SMTP and if you want, you can look for port 110 traffic for POP3 (but you’re probably hunting for the first). Denis Kelley
-
You’ll just want to monitor traffic going out on port 25 tcp, which is what carries SMTP traffic. If you just capture Syslog output from your firewall, it should become apparent which machine’s asking for outbound connections to SMTP servers.
If you’re captureing data, you can restrict the display to just SMTP by clickin on the “expression” button next to the filter. In the screen that results, scroll down to “smtp”, select “==” and click OK. That should only show you SMTP traffic. Any machine that’s not a server authorized to send email should be looked into. David1618
-
In order for WS to work you have to be “capturing” data. If you have it loaded on one workstation, and it’s just a plain jane workstation, then all you’re capturing is data from and to that workstation. And since you’ve you filtering, your results will be pretty much vacant unless you are mailing out of that workstation.
WS needs to be plugged into a port off of the switch that is designated as a monitor port. That port, depending on how it is configured, will be mirroring all of the traffic that is moving through the switch.
You can use a network tap or also an old hub. For some good quick and easy reading go here:
http:/
/ wiki.wireshark.org/ CaptureSetup/ Ethernet#Capture_using_an_Ethernet_hub Pete1894