Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Finding Tx/Rx Traffic of specified IP Address!

Posted on 2002-07-05
13
Medium Priority
?
434 Views
Last Modified: 2008-03-06
Hi all,

   Recently, we found that there is a performance issue of our email server, it seems there are many emails sending or receiving from the others, can I monitor it and knowing which IP(s) is/are sending or receiving files from the email server?.. I have tried Sniffer from NAI, it seems it can only monitor the traffic from Sniffer machine to email server!... Can anyone help me!? Can you leave me a detail way to monitor it?..

Regards,
Thomas

p.s. my email server is running under Digital UNIX

0
Comment
Question by:thomascy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7132346
Your Sniffer should have been able to help. I'm assuming that you are connecting to a switch. To use the sniffer on a switch, you need to make that switch port a mirror or monitor port so that all traffic going through that swtich is mirrored to the sniffer's port.

Is the server Windows NT/2K ? Have you tried the network monitor tools right on the server? You might have to install them first if you don't see it in Admin Tools
0
 

Author Comment

by:thomascy
ID: 7132558
Thanks Irmoore, my email server is running under Digital Unix and Sniffer was installed in W2K!.. What should I do now?.. And how can I make switch port a mirror or monitor port?...Can you tell me in details?...

Thanks,
Thomas
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 7132565
As lrmoore said, if you are using a switch you'll need to configure a monitor port so that you can see all traffic . . . An easier way, if you have the hardware, is to put a hub between the mail server and the switch and plug your sniffer in the hub as well. This would be an easy chore for Sniffer . . . it will show tx/rx packets and bytes by protocol, by source, and by destination. Just click on the bytes or packets column to sort in ascending or descending order.

Good luck.
Steve

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 79

Expert Comment

by:lrmoore
ID: 7132623
We need to know the exact model/brand name of the switch you are using to give detailed instructions.
0
 
LVL 2

Expert Comment

by:jgarr
ID: 7132690
You will also need to verify that your NIC on the sniffer PC is capable of running in promiscuous mode. Otherwise the sniffer will only listen to traffic destined for itself. The switch must also be set to span the port for the email server.  What kind of switch are you using?
0
 

Author Comment

by:thomascy
ID: 7133850
Thanks, I am using 4 x 3COM SuperStack 3 3300 series switches to form a stack with 96 ports! what can I do in order to capture the traffic! Should my PC (installed Sniffer) and email server plug into the same switch?..

Thanks to all guys
Thomas



0
 
LVL 16

Expert Comment

by:SteveJ
ID: 7133932
Can you get your hands on a hub?

Steve
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 7140764
Do you have tcpdump on your Unix email server?

If so, use tcpdump to save a log file of the traffic on the interface you're concerned about. The interface doesn't need to be in promiscuous mode, because you're only interested in traffic from / to that interface. You run tcpdump for a while and then analyse the output at leisure.

Vijay
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 200 total points
ID: 7141018
With no disrespect intended toward thomascy, vijay, tcpdump is a little arcane considering the difficulty thomascy is having just getting sniffer pro to capture relevant traffic off of a 3com switch. Unformatted tcpdump output is more than most people - including me - want to deal with.

Thomascy,

1. Plug the Sniffer Pro machine into the same switch as the mail server.
2. Assuming you have the web configuration access tool: click the configuration icon on the side-bar
3. Click the roving anlysis hotlink
4. Click / select the monitor port - the port that the Sniffer pro machine is plugged into
5. Click / select the analysis port - the port that the mail server is plugged into
5. Click apply

Now you can start Sniffer pro and collect all the data that goes into and out of the mail server. Once you've done that if you need help interpreting the sniffer pro results let us know.

Steve
0
 
LVL 5

Expert Comment

by:vsamtani
ID: 7141033

I agree that tcpdump's output is arcane, but it's a very standard unix tool, and there's a lot of stuff out there to help analyse it. But if it's easy to make the Windows sniffer work, then go for that, as most of it is in place already.

However, if you want to set up anything that monitors your unix server's interfaces more long-term, I'd still tend towards running tcpdump locally to generate representative samples of traffic for analysis - and maybe also to alert if there are sudden changes in volume. You'd have to keep an eye on the processor and i/o usage, of course, since tcpdump logging is a very good generator of disk usage.

Vijay
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 7141047
Fair enough, Vijay. I've used tcpdump but I learned fairly quickly that you need to be able to apply command line filters or you'll chew through a considerable amount of disk space. The main difference between tcpdump and sniffer pro is that sniffer pro is a protocol anaylyzer not just a raw capture utility.

I saw your comment on another post . . . I also use ethereal, the poor man's sniffer pro.

Steve
0
 

Author Comment

by:thomascy
ID: 7142631
Thank you Steve,

However, the correct setting will be :
the monitor port  -> the port that the mail server plugged into
the analysis port -> the port that sniffer machine plugged into

Thomas
0
 

Author Comment

by:thomascy
ID: 7142632
Thanks all guys!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question