?
Solved

Finding Tx/Rx Traffic of specified IP Address!

Posted on 2002-07-05
13
Medium Priority
?
431 Views
Last Modified: 2008-03-06
Hi all,

   Recently, we found that there is a performance issue of our email server, it seems there are many emails sending or receiving from the others, can I monitor it and knowing which IP(s) is/are sending or receiving files from the email server?.. I have tried Sniffer from NAI, it seems it can only monitor the traffic from Sniffer machine to email server!... Can anyone help me!? Can you leave me a detail way to monitor it?..

Regards,
Thomas

p.s. my email server is running under Digital UNIX

0
Comment
Question by:thomascy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7132346
Your Sniffer should have been able to help. I'm assuming that you are connecting to a switch. To use the sniffer on a switch, you need to make that switch port a mirror or monitor port so that all traffic going through that swtich is mirrored to the sniffer's port.

Is the server Windows NT/2K ? Have you tried the network monitor tools right on the server? You might have to install them first if you don't see it in Admin Tools
0
 

Author Comment

by:thomascy
ID: 7132558
Thanks Irmoore, my email server is running under Digital Unix and Sniffer was installed in W2K!.. What should I do now?.. And how can I make switch port a mirror or monitor port?...Can you tell me in details?...

Thanks,
Thomas
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 7132565
As lrmoore said, if you are using a switch you'll need to configure a monitor port so that you can see all traffic . . . An easier way, if you have the hardware, is to put a hub between the mail server and the switch and plug your sniffer in the hub as well. This would be an easy chore for Sniffer . . . it will show tx/rx packets and bytes by protocol, by source, and by destination. Just click on the bytes or packets column to sort in ascending or descending order.

Good luck.
Steve

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 7132623
We need to know the exact model/brand name of the switch you are using to give detailed instructions.
0
 
LVL 2

Expert Comment

by:jgarr
ID: 7132690
You will also need to verify that your NIC on the sniffer PC is capable of running in promiscuous mode. Otherwise the sniffer will only listen to traffic destined for itself. The switch must also be set to span the port for the email server.  What kind of switch are you using?
0
 

Author Comment

by:thomascy
ID: 7133850
Thanks, I am using 4 x 3COM SuperStack 3 3300 series switches to form a stack with 96 ports! what can I do in order to capture the traffic! Should my PC (installed Sniffer) and email server plug into the same switch?..

Thanks to all guys
Thomas



0
 
LVL 16

Expert Comment

by:SteveJ
ID: 7133932
Can you get your hands on a hub?

Steve
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 7140764
Do you have tcpdump on your Unix email server?

If so, use tcpdump to save a log file of the traffic on the interface you're concerned about. The interface doesn't need to be in promiscuous mode, because you're only interested in traffic from / to that interface. You run tcpdump for a while and then analyse the output at leisure.

Vijay
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 200 total points
ID: 7141018
With no disrespect intended toward thomascy, vijay, tcpdump is a little arcane considering the difficulty thomascy is having just getting sniffer pro to capture relevant traffic off of a 3com switch. Unformatted tcpdump output is more than most people - including me - want to deal with.

Thomascy,

1. Plug the Sniffer Pro machine into the same switch as the mail server.
2. Assuming you have the web configuration access tool: click the configuration icon on the side-bar
3. Click the roving anlysis hotlink
4. Click / select the monitor port - the port that the Sniffer pro machine is plugged into
5. Click / select the analysis port - the port that the mail server is plugged into
5. Click apply

Now you can start Sniffer pro and collect all the data that goes into and out of the mail server. Once you've done that if you need help interpreting the sniffer pro results let us know.

Steve
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 7141033

I agree that tcpdump's output is arcane, but it's a very standard unix tool, and there's a lot of stuff out there to help analyse it. But if it's easy to make the Windows sniffer work, then go for that, as most of it is in place already.

However, if you want to set up anything that monitors your unix server's interfaces more long-term, I'd still tend towards running tcpdump locally to generate representative samples of traffic for analysis - and maybe also to alert if there are sudden changes in volume. You'd have to keep an eye on the processor and i/o usage, of course, since tcpdump logging is a very good generator of disk usage.

Vijay
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 7141047
Fair enough, Vijay. I've used tcpdump but I learned fairly quickly that you need to be able to apply command line filters or you'll chew through a considerable amount of disk space. The main difference between tcpdump and sniffer pro is that sniffer pro is a protocol anaylyzer not just a raw capture utility.

I saw your comment on another post . . . I also use ethereal, the poor man's sniffer pro.

Steve
0
 

Author Comment

by:thomascy
ID: 7142631
Thank you Steve,

However, the correct setting will be :
the monitor port  -> the port that the mail server plugged into
the analysis port -> the port that sniffer machine plugged into

Thomas
0
 

Author Comment

by:thomascy
ID: 7142632
Thanks all guys!
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question