Improve company productivity with a Business Account.Sign Up

x
?
Solved

Finding Tx/Rx Traffic of specified IP Address!

Posted on 2002-07-05
13
Medium Priority
?
438 Views
Last Modified: 2008-03-06
Hi all,

   Recently, we found that there is a performance issue of our email server, it seems there are many emails sending or receiving from the others, can I monitor it and knowing which IP(s) is/are sending or receiving files from the email server?.. I have tried Sniffer from NAI, it seems it can only monitor the traffic from Sniffer machine to email server!... Can anyone help me!? Can you leave me a detail way to monitor it?..

Regards,
Thomas

p.s. my email server is running under Digital UNIX

0
Comment
Question by:thomascy
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7132346
Your Sniffer should have been able to help. I'm assuming that you are connecting to a switch. To use the sniffer on a switch, you need to make that switch port a mirror or monitor port so that all traffic going through that swtich is mirrored to the sniffer's port.

Is the server Windows NT/2K ? Have you tried the network monitor tools right on the server? You might have to install them first if you don't see it in Admin Tools
0
 

Author Comment

by:thomascy
ID: 7132558
Thanks Irmoore, my email server is running under Digital Unix and Sniffer was installed in W2K!.. What should I do now?.. And how can I make switch port a mirror or monitor port?...Can you tell me in details?...

Thanks,
Thomas
0
 
LVL 16

Expert Comment

by:Steve Jennings
ID: 7132565
As lrmoore said, if you are using a switch you'll need to configure a monitor port so that you can see all traffic . . . An easier way, if you have the hardware, is to put a hub between the mail server and the switch and plug your sniffer in the hub as well. This would be an easy chore for Sniffer . . . it will show tx/rx packets and bytes by protocol, by source, and by destination. Just click on the bytes or packets column to sort in ascending or descending order.

Good luck.
Steve

0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
LVL 79

Expert Comment

by:lrmoore
ID: 7132623
We need to know the exact model/brand name of the switch you are using to give detailed instructions.
0
 
LVL 2

Expert Comment

by:jgarr
ID: 7132690
You will also need to verify that your NIC on the sniffer PC is capable of running in promiscuous mode. Otherwise the sniffer will only listen to traffic destined for itself. The switch must also be set to span the port for the email server.  What kind of switch are you using?
0
 

Author Comment

by:thomascy
ID: 7133850
Thanks, I am using 4 x 3COM SuperStack 3 3300 series switches to form a stack with 96 ports! what can I do in order to capture the traffic! Should my PC (installed Sniffer) and email server plug into the same switch?..

Thanks to all guys
Thomas



0
 
LVL 16

Expert Comment

by:Steve Jennings
ID: 7133932
Can you get your hands on a hub?

Steve
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 7140764
Do you have tcpdump on your Unix email server?

If so, use tcpdump to save a log file of the traffic on the interface you're concerned about. The interface doesn't need to be in promiscuous mode, because you're only interested in traffic from / to that interface. You run tcpdump for a while and then analyse the output at leisure.

Vijay
0
 
LVL 16

Accepted Solution

by:
Steve Jennings earned 200 total points
ID: 7141018
With no disrespect intended toward thomascy, vijay, tcpdump is a little arcane considering the difficulty thomascy is having just getting sniffer pro to capture relevant traffic off of a 3com switch. Unformatted tcpdump output is more than most people - including me - want to deal with.

Thomascy,

1. Plug the Sniffer Pro machine into the same switch as the mail server.
2. Assuming you have the web configuration access tool: click the configuration icon on the side-bar
3. Click the roving anlysis hotlink
4. Click / select the monitor port - the port that the Sniffer pro machine is plugged into
5. Click / select the analysis port - the port that the mail server is plugged into
5. Click apply

Now you can start Sniffer pro and collect all the data that goes into and out of the mail server. Once you've done that if you need help interpreting the sniffer pro results let us know.

Steve
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 7141033

I agree that tcpdump's output is arcane, but it's a very standard unix tool, and there's a lot of stuff out there to help analyse it. But if it's easy to make the Windows sniffer work, then go for that, as most of it is in place already.

However, if you want to set up anything that monitors your unix server's interfaces more long-term, I'd still tend towards running tcpdump locally to generate representative samples of traffic for analysis - and maybe also to alert if there are sudden changes in volume. You'd have to keep an eye on the processor and i/o usage, of course, since tcpdump logging is a very good generator of disk usage.

Vijay
0
 
LVL 16

Expert Comment

by:Steve Jennings
ID: 7141047
Fair enough, Vijay. I've used tcpdump but I learned fairly quickly that you need to be able to apply command line filters or you'll chew through a considerable amount of disk space. The main difference between tcpdump and sniffer pro is that sniffer pro is a protocol anaylyzer not just a raw capture utility.

I saw your comment on another post . . . I also use ethereal, the poor man's sniffer pro.

Steve
0
 

Author Comment

by:thomascy
ID: 7142631
Thank you Steve,

However, the correct setting will be :
the monitor port  -> the port that the mail server plugged into
the analysis port -> the port that sniffer machine plugged into

Thomas
0
 

Author Comment

by:thomascy
ID: 7142632
Thanks all guys!
0

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question