Using Wireshark to sniff packets to analyze a potential mail server issue

We are trying to get to the bottom of a mail delivery issue we have.
On our ISP Spamfilter log we get the following in log file:
------------------------------
03-16-11 15:45:31:484 -- (6236) Connection from: 195.41.46.231  -  Originating country : Denmark
03-16-11 15:45:31:546 -- (6236) Received MAIL FROM: <grafitek@tdcspace.dk>
03-16-11 15:45:31:546 -- (6236) Received RCPT TO: morten@e-advice.dk
03-16-11 15:45:31:562 -- (6236) found SPF record for tdcspace.dk: v=spf1 include:mail.dk
03-16-11 15:45:31:562 -- (6236) found SPF record for mail.dk: v=spf1 ptr:mail.dk ptr:tele.dk ptr:mailoption.dk -all
03-16-11 15:45:31:578 -- (6236) SPF query result: pass
03-16-11 15:45:31:578 -- (6236) - SPF analysis for mail.dk done: - pass
03-16-11 15:45:31:578 -- (6236) SPF query result: pass
03-16-11 15:45:31:578 -- (6236) - SPF analysis for tdcspace.dk done: - pass
03-16-11 15:45:31:578 -- (6236) Mail from: grafitek@tdcspace.dk
03-16-11 15:45:33:531 -- (6236) - MAPS search done...
03-16-11 15:45:33:531 -- (6236) RCPT TO: morten@e-advice.dk accepted
03-16-11 15:47:47:828 -- (6236) Disconnect-
------------------------------------------------------
The fault is that morten@e-advice.dk accept to receive but the "body" never arrives and in the end it disconnect after about 100sek

ISP Spamfilter Support said this can be because firewall/Antivirus Software on Server or End users. Problem is that it seems to be only with some users they have the problem.

I now want to use Wireshart to "sniff" any packets from the SMTP Server that is sending the mail to our mail server.
I want to run the program and sniff all coms from IPs: 195.41.46.230 and 195.41.46.231

I just cant understand how to use the application to monitor this.
Is there a way/ or a better way.

I attach a picture of Wireshark user interface in case someone can give me some instruction how to set this up


wireshark.jpg
morten444Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
m_walkerConnect With a Mentor Commented:
Ok on the capture config page (as above)
Key into the Capture Filter edit box...

host 195.41.46.230 or host 195.41.46.231

This shoudl log any data where one of the IP Address is either of those two.
This should now only log data to / from those hosts.

To test, set the capture running, then ping those two host.  They may not reply to the ping, but it should log your attempt to ping those hosts.

Keep an eye on the log and make sure it does not get too big.  I think that since you are only logging for two hosts its should be ok as you dont expect much data from those two.

Note: Capture filters are different from display filters, but more on that later.
0
 
m_walkerCommented:
Using wireshark.
I find it best to do a complete caputure for a set period of time, then filter and searh through that file.  This way if you need to check something else (eg: to/from a dns server) then the data will be there.

that said, if there is a lot of traffic the log file will be big, so if you can cause the issue you see "on demand", then get wire shark ready, log and cause the issue, and stop wire shark.

Note: In the screen shot you posted, set the log/capture file, everything else should be ok as a default.

For wire shark to get the data, the data needs to be sent to wire shark.  If you can ID the server you want to record data to/from (eg: your email server), then you can either
a) Install wireshark on that serever and log
or
b) Create a span/mon/mirror port on your switch to send a copy of all data to/from the server port to your monitor port (this feature needs to be support on the switch you have).  Then connect a computer with wire shark to that port and log.

if your switch does not support option b, you can get a HUB (and I mean a hub not a switch) and put that between your server and switch, then connect the wire shark to the same hub.  (with a hub all data will go to all ports..)

Once you are happy you are getting the data you need, we can talk about look through the data and applying filters.

0
 
morten444Author Commented:
Hi
Thanks for your reply
I have installed WIRESHARK on our mail server
I have the 2 IP i want to trace and I only want this 2 IP as we have seen repeated issues

The mail server receivs about 200.000 mails a days and I think i have to monitor for 2-3 days. Therefore log files will be to big

I have seen in manual that you can log for "net" and type like 192.168.0.0/24
But how do I do if I only want the 2 IP's :195.41.46.230 and 195.41.46.231
What do  I write where?
0
 
morten444Author Commented:
Hi Thanks
I managed to set it up now and forward outcome to our Spamfilter provider.
Thanks for all your help
0
 
bkort1Commented:
Hi,

Any more information on this issue would be greatly appreciated.  I have been having the same exact issue for a few months now and can't seem to find any solution to fix it.  Sometimes emails are accepted for delivery but never forward to the mailbox and the connection ends up terminating after awhile.

Thanks,
0
All Courses

From novice to tech pro — start learning today.