Finding Tx/Rx Traffic of specified IP Address!

Hi all,

   Recently, we found that there is a performance issue of our email server, it seems there are many emails sending or receiving from the others, can I monitor it and knowing which IP(s) is/are sending or receiving files from the email server?.. I have tried Sniffer from NAI, it seems it can only monitor the traffic from Sniffer machine to email server!... Can anyone help me!? Can you leave me a detail way to monitor it?..

Regards,
Thomas

p.s. my email server is running under Digital UNIX

thomascyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Your Sniffer should have been able to help. I'm assuming that you are connecting to a switch. To use the sniffer on a switch, you need to make that switch port a mirror or monitor port so that all traffic going through that swtich is mirrored to the sniffer's port.

Is the server Windows NT/2K ? Have you tried the network monitor tools right on the server? You might have to install them first if you don't see it in Admin Tools
0
thomascyAuthor Commented:
Thanks Irmoore, my email server is running under Digital Unix and Sniffer was installed in W2K!.. What should I do now?.. And how can I make switch port a mirror or monitor port?...Can you tell me in details?...

Thanks,
Thomas
0
Steve JenningsIT ManagerCommented:
As lrmoore said, if you are using a switch you'll need to configure a monitor port so that you can see all traffic . . . An easier way, if you have the hardware, is to put a hub between the mail server and the switch and plug your sniffer in the hub as well. This would be an easy chore for Sniffer . . . it will show tx/rx packets and bytes by protocol, by source, and by destination. Just click on the bytes or packets column to sort in ascending or descending order.

Good luck.
Steve

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lrmooreCommented:
We need to know the exact model/brand name of the switch you are using to give detailed instructions.
0
jgarrCommented:
You will also need to verify that your NIC on the sniffer PC is capable of running in promiscuous mode. Otherwise the sniffer will only listen to traffic destined for itself. The switch must also be set to span the port for the email server.  What kind of switch are you using?
0
thomascyAuthor Commented:
Thanks, I am using 4 x 3COM SuperStack 3 3300 series switches to form a stack with 96 ports! what can I do in order to capture the traffic! Should my PC (installed Sniffer) and email server plug into the same switch?..

Thanks to all guys
Thomas



0
Steve JenningsIT ManagerCommented:
Can you get your hands on a hub?

Steve
0
vsamtaniCommented:
Do you have tcpdump on your Unix email server?

If so, use tcpdump to save a log file of the traffic on the interface you're concerned about. The interface doesn't need to be in promiscuous mode, because you're only interested in traffic from / to that interface. You run tcpdump for a while and then analyse the output at leisure.

Vijay
0
Steve JenningsIT ManagerCommented:
With no disrespect intended toward thomascy, vijay, tcpdump is a little arcane considering the difficulty thomascy is having just getting sniffer pro to capture relevant traffic off of a 3com switch. Unformatted tcpdump output is more than most people - including me - want to deal with.

Thomascy,

1. Plug the Sniffer Pro machine into the same switch as the mail server.
2. Assuming you have the web configuration access tool: click the configuration icon on the side-bar
3. Click the roving anlysis hotlink
4. Click / select the monitor port - the port that the Sniffer pro machine is plugged into
5. Click / select the analysis port - the port that the mail server is plugged into
5. Click apply

Now you can start Sniffer pro and collect all the data that goes into and out of the mail server. Once you've done that if you need help interpreting the sniffer pro results let us know.

Steve
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vsamtaniCommented:

I agree that tcpdump's output is arcane, but it's a very standard unix tool, and there's a lot of stuff out there to help analyse it. But if it's easy to make the Windows sniffer work, then go for that, as most of it is in place already.

However, if you want to set up anything that monitors your unix server's interfaces more long-term, I'd still tend towards running tcpdump locally to generate representative samples of traffic for analysis - and maybe also to alert if there are sudden changes in volume. You'd have to keep an eye on the processor and i/o usage, of course, since tcpdump logging is a very good generator of disk usage.

Vijay
0
Steve JenningsIT ManagerCommented:
Fair enough, Vijay. I've used tcpdump but I learned fairly quickly that you need to be able to apply command line filters or you'll chew through a considerable amount of disk space. The main difference between tcpdump and sniffer pro is that sniffer pro is a protocol anaylyzer not just a raw capture utility.

I saw your comment on another post . . . I also use ethereal, the poor man's sniffer pro.

Steve
0
thomascyAuthor Commented:
Thank you Steve,

However, the correct setting will be :
the monitor port  -> the port that the mail server plugged into
the analysis port -> the port that sniffer machine plugged into

Thomas
0
thomascyAuthor Commented:
Thanks all guys!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.