Checking PORT Traffic using Wireshark Ethereal : port, wireshark, windows, traffic

May 17, 2008 02:25am pdt

1. BillBach 10,355
2. RobWill 9,100
3. briancassin 6,000
4. johnb6767 4,600
5. chilternPC 4,000
5. techno-wiz 4,000
7. Chris-Dent 2,750
8. younghv 2,500
8. Kutyi 2,500
10. lrmoore 2,400
11. bbao 2,125
12. and235100 2,100
13. meverest 2,000
13. SPH 2,000
13. Johnjces 2,000
13. jkr 2,000
13. SStory 2,000
13. Chiefoft... 2,000
13. steedBmaher 2,000
13. tlman12 2,000
13. souseran 2,000
13. drexxl 2,000
13. Addihul 2,000
13. Iced-evil 2,000
13. lamaslany 2,000
13. ngailfus 2,000
13. stuartp44 2,000
13. aubertmr 2,000
13. grahamno... 2,000
13. acesover... 2,000
13. theProfessa 2,000
13. markmems 2,000
13. Freya28 2,000
13. DrDave242 2,000
13. Bamit99 2,000
13. Psychotec 2,000
13. dkarpekin 2,000
13. dpk_wal 2,000
13. Alex_AT 2,000
13. evilrix 2,000
13. kevin_uk05 2,000

1. RobWill 95,300
2. lrmoore 74,563
3. adamdrayer 70,785
4. Fatal_Ex... 66,696
5. stevenlewis 59,618
6. Chris-Dent 51,935
7. keith_al... 50,482
8. dragon-it 29,289
9. oBdA 26,002
10. Jay_Jay70 25,524
11. PeteLong 22,548
12. crissand 21,947
13. Netman66 20,812
14. johnb6767 19,997
15. Debsyl99 19,200

10.25.2007 at 04:58AM PDT, ID: 22917232

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.6

Checking PORT Traffic using Wireshark Ethereal

Zones: Internet Protocols, Windows 2003 Server

Tags: port, wireshark, windows, traffic

Hi all,

I'm running Windows 2003 server to provide email (port 110 and port 25) for a couple of domains. I'm experiencing very slow repsonse times from port 25 and someone suggested i used Wiresharks Ethereal to capture the traffic and analyze it. I've done that but for the life of me i dont know what i should be looking for that could represent a problem. Does anyone know of some where i can lookup / translate the captured data into something i can understand....

Thanks
Sean

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: SeanNij

Solution Provided By: JMazzuca

Participating Experts: 3

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

10.25.2007 at 05:52AM PDT, ID: 20147096

tlbrittain:

With Ethereal it takes a little bit of understanding of how computers work (for example the TCP 3-way handshake). Normally what I would be looking for would be either miscellaneous traffic on ports that are not necessary for the server, if any are found I would attempt to stop the correlating service or shut down the port. Also what you will also want to look at is if the traffic is all legit does it seem to reach out but receive no response back?

10.25.2007 at 06:02AM PDT, ID: 20147177

SeanNij:

"does it seem to reach out but receive no response back"

ke? how would i tell

"ports"

Thats working kewl - i closed some "unused" ports and already there seems to be improvement.

10.25.2007 at 06:11AM PDT, ID: 20147239

JMazzuca:

Normally, when I check port traffic, I use Wireshark in conjunction with NetLimiter (http://netlimiter.com), to see exactly what processes are running, and if disabling each or a combo of them changes (lowers) the captured packets of the TCP streams, you'll know those are the culprits causing traffic. Unless, of course, those are necessary processes that you need, you'll still at least be able to target the causes of the slow-down. I agree with tlbrittain that you'll need to know how the TCP packet transition process works, but I guess in a very basic level, in Wireshark you can watch the TCP throughput via the IO graphs, which represent the packets or bytes sent over time. Just make sure to specifically look at port 25 only, as you will view all protocol streams over multiple ports. You will have to filter the graph just to show TCP on port 25. There is a syntax helper in the IO graph UI.

Accepted Solution

10.25.2007 at 06:13AM PDT, ID: 20147255

tlbrittain:

Over on the right hand side - I believe under info you should see some info that doesn't really make any sense. this portion is the computers talking with one another.

You will want to look for any of the following:
ACK
PSH
SYN
FIN

If you are seeing PSH (Data Push) and are not receiving any ACK (Acknowledgement of connection or receipt of data) then your data is not reaching it's destination. SYN (Syncronize the connection, i.e. sync up) FIN (Finish, close the connection, end transmission) there is also one more and in UNIX it is represented by R (Reset the connection) I do not know how Ethereal represents the traffic.

Assisted Solution

10.25.2007 at 06:17AM PDT, ID: 20147290

tlbrittain:

Is all network connectivity running slow on the Machine? If not then what JMazzuca is saying about only monitoring port 25 would be correct. If you notice that you are experiencing latency with connectivity outside of just e-mail then you will want to just monitor the interface (NIC) and see all the traffic that is hitting it.

10.25.2007 at 09:36PM PDT, ID: 20153168

SeanNij:

I installed Netlimiter monitor and am watching the processes under hexamail (program we use for catching email spam pop etc) and i notice for example that a connection will be made from say 57.68.18.28:15546 as "incoming" and there will be no traffic on it for like a minute at a time - and that connection just remains. In the last 5 minutes there are now 4 connections like that.

In terms of the ACK/PSH etc - I see a lot of FIN/SYN which look okay esp on the pop3 (110) protocol.

Can i assume that these "hang about do nothing" connections are potentials spammers or the like?

10.26.2007 at 09:26AM PDT, ID: 20156960

Andrew_Wallbank:

Within Wireshark there is an option to 'Follow TCP stream'. If you can find an estalished conversation on port 25 or 110, you can follow the TCP stream for that connection and see if there are long delays between packets in and out of the server. If the clients are sending data there should be a pretty constant stream of traffic between server and host. If there are lots of 'hang about' connections, it could be down to the server not releasing the connection successfully.

an example could be, If the clients are ending the conversation with a FIN, your server may have a problem dropping this connection, but if they end with a RST the connection may end. This could be down to hardware on the server.

Assisted Solution

20080236-EE-VQP-29 / EE_QW_2_20070628