Solved

Finding Tx/Rx Traffic of specified IP Address!

Posted on 2002-07-05
13
425 Views
Last Modified: 2008-03-06
Hi all,

   Recently, we found that there is a performance issue of our email server, it seems there are many emails sending or receiving from the others, can I monitor it and knowing which IP(s) is/are sending or receiving files from the email server?.. I have tried Sniffer from NAI, it seems it can only monitor the traffic from Sniffer machine to email server!... Can anyone help me!? Can you leave me a detail way to monitor it?..

Regards,
Thomas

p.s. my email server is running under Digital UNIX

0
Comment
Question by:thomascy
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Your Sniffer should have been able to help. I'm assuming that you are connecting to a switch. To use the sniffer on a switch, you need to make that switch port a mirror or monitor port so that all traffic going through that swtich is mirrored to the sniffer's port.

Is the server Windows NT/2K ? Have you tried the network monitor tools right on the server? You might have to install them first if you don't see it in Admin Tools
0
 

Author Comment

by:thomascy
Comment Utility
Thanks Irmoore, my email server is running under Digital Unix and Sniffer was installed in W2K!.. What should I do now?.. And how can I make switch port a mirror or monitor port?...Can you tell me in details?...

Thanks,
Thomas
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
As lrmoore said, if you are using a switch you'll need to configure a monitor port so that you can see all traffic . . . An easier way, if you have the hardware, is to put a hub between the mail server and the switch and plug your sniffer in the hub as well. This would be an easy chore for Sniffer . . . it will show tx/rx packets and bytes by protocol, by source, and by destination. Just click on the bytes or packets column to sort in ascending or descending order.

Good luck.
Steve

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
We need to know the exact model/brand name of the switch you are using to give detailed instructions.
0
 
LVL 2

Expert Comment

by:jgarr
Comment Utility
You will also need to verify that your NIC on the sniffer PC is capable of running in promiscuous mode. Otherwise the sniffer will only listen to traffic destined for itself. The switch must also be set to span the port for the email server.  What kind of switch are you using?
0
 

Author Comment

by:thomascy
Comment Utility
Thanks, I am using 4 x 3COM SuperStack 3 3300 series switches to form a stack with 96 ports! what can I do in order to capture the traffic! Should my PC (installed Sniffer) and email server plug into the same switch?..

Thanks to all guys
Thomas



0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Can you get your hands on a hub?

Steve
0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility
Do you have tcpdump on your Unix email server?

If so, use tcpdump to save a log file of the traffic on the interface you're concerned about. The interface doesn't need to be in promiscuous mode, because you're only interested in traffic from / to that interface. You run tcpdump for a while and then analyse the output at leisure.

Vijay
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 50 total points
Comment Utility
With no disrespect intended toward thomascy, vijay, tcpdump is a little arcane considering the difficulty thomascy is having just getting sniffer pro to capture relevant traffic off of a 3com switch. Unformatted tcpdump output is more than most people - including me - want to deal with.

Thomascy,

1. Plug the Sniffer Pro machine into the same switch as the mail server.
2. Assuming you have the web configuration access tool: click the configuration icon on the side-bar
3. Click the roving anlysis hotlink
4. Click / select the monitor port - the port that the Sniffer pro machine is plugged into
5. Click / select the analysis port - the port that the mail server is plugged into
5. Click apply

Now you can start Sniffer pro and collect all the data that goes into and out of the mail server. Once you've done that if you need help interpreting the sniffer pro results let us know.

Steve
0
 
LVL 5

Expert Comment

by:vsamtani
Comment Utility

I agree that tcpdump's output is arcane, but it's a very standard unix tool, and there's a lot of stuff out there to help analyse it. But if it's easy to make the Windows sniffer work, then go for that, as most of it is in place already.

However, if you want to set up anything that monitors your unix server's interfaces more long-term, I'd still tend towards running tcpdump locally to generate representative samples of traffic for analysis - and maybe also to alert if there are sudden changes in volume. You'd have to keep an eye on the processor and i/o usage, of course, since tcpdump logging is a very good generator of disk usage.

Vijay
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Fair enough, Vijay. I've used tcpdump but I learned fairly quickly that you need to be able to apply command line filters or you'll chew through a considerable amount of disk space. The main difference between tcpdump and sniffer pro is that sniffer pro is a protocol anaylyzer not just a raw capture utility.

I saw your comment on another post . . . I also use ethereal, the poor man's sniffer pro.

Steve
0
 

Author Comment

by:thomascy
Comment Utility
Thank you Steve,

However, the correct setting will be :
the monitor port  -> the port that the mail server plugged into
the analysis port -> the port that sniffer machine plugged into

Thomas
0
 

Author Comment

by:thomascy
Comment Utility
Thanks all guys!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now