Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Using Wireshark to sniff packets to analyze a potential mail server issue

Posted on 2011-03-22
5
Medium Priority
?
941 Views
Last Modified: 2012-08-14
We are trying to get to the bottom of a mail delivery issue we have.
On our ISP Spamfilter log we get the following in log file:
------------------------------
03-16-11 15:45:31:484 -- (6236) Connection from: 195.41.46.231  -  Originating country : Denmark
03-16-11 15:45:31:546 -- (6236) Received MAIL FROM: <grafitek@tdcspace.dk>
03-16-11 15:45:31:546 -- (6236) Received RCPT TO: morten@e-advice.dk
03-16-11 15:45:31:562 -- (6236) found SPF record for tdcspace.dk: v=spf1 include:mail.dk
03-16-11 15:45:31:562 -- (6236) found SPF record for mail.dk: v=spf1 ptr:mail.dk ptr:tele.dk ptr:mailoption.dk -all
03-16-11 15:45:31:578 -- (6236) SPF query result: pass
03-16-11 15:45:31:578 -- (6236) - SPF analysis for mail.dk done: - pass
03-16-11 15:45:31:578 -- (6236) SPF query result: pass
03-16-11 15:45:31:578 -- (6236) - SPF analysis for tdcspace.dk done: - pass
03-16-11 15:45:31:578 -- (6236) Mail from: grafitek@tdcspace.dk
03-16-11 15:45:33:531 -- (6236) - MAPS search done...
03-16-11 15:45:33:531 -- (6236) RCPT TO: morten@e-advice.dk accepted
03-16-11 15:47:47:828 -- (6236) Disconnect-
------------------------------------------------------
The fault is that morten@e-advice.dk accept to receive but the "body" never arrives and in the end it disconnect after about 100sek

ISP Spamfilter Support said this can be because firewall/Antivirus Software on Server or End users. Problem is that it seems to be only with some users they have the problem.

I now want to use Wireshart to "sniff" any packets from the SMTP Server that is sending the mail to our mail server.
I want to run the program and sniff all coms from IPs: 195.41.46.230 and 195.41.46.231

I just cant understand how to use the application to monitor this.
Is there a way/ or a better way.

I attach a picture of Wireshark user interface in case someone can give me some instruction how to set this up


wireshark.jpg
0
Comment
Question by:morten444
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:m_walker
ID: 35194908
Using wireshark.
I find it best to do a complete caputure for a set period of time, then filter and searh through that file.  This way if you need to check something else (eg: to/from a dns server) then the data will be there.

that said, if there is a lot of traffic the log file will be big, so if you can cause the issue you see "on demand", then get wire shark ready, log and cause the issue, and stop wire shark.

Note: In the screen shot you posted, set the log/capture file, everything else should be ok as a default.

For wire shark to get the data, the data needs to be sent to wire shark.  If you can ID the server you want to record data to/from (eg: your email server), then you can either
a) Install wireshark on that serever and log
or
b) Create a span/mon/mirror port on your switch to send a copy of all data to/from the server port to your monitor port (this feature needs to be support on the switch you have).  Then connect a computer with wire shark to that port and log.

if your switch does not support option b, you can get a HUB (and I mean a hub not a switch) and put that between your server and switch, then connect the wire shark to the same hub.  (with a hub all data will go to all ports..)

Once you are happy you are getting the data you need, we can talk about look through the data and applying filters.

0
 

Author Comment

by:morten444
ID: 35196943
Hi
Thanks for your reply
I have installed WIRESHARK on our mail server
I have the 2 IP i want to trace and I only want this 2 IP as we have seen repeated issues

The mail server receivs about 200.000 mails a days and I think i have to monitor for 2-3 days. Therefore log files will be to big

I have seen in manual that you can log for "net" and type like 192.168.0.0/24
But how do I do if I only want the 2 IP's :195.41.46.230 and 195.41.46.231
What do  I write where?
0
 
LVL 4

Accepted Solution

by:
m_walker earned 2000 total points
ID: 35197209
Ok on the capture config page (as above)
Key into the Capture Filter edit box...

host 195.41.46.230 or host 195.41.46.231

This shoudl log any data where one of the IP Address is either of those two.
This should now only log data to / from those hosts.

To test, set the capture running, then ping those two host.  They may not reply to the ping, but it should log your attempt to ping those hosts.

Keep an eye on the log and make sure it does not get too big.  I think that since you are only logging for two hosts its should be ok as you dont expect much data from those two.

Note: Capture filters are different from display filters, but more on that later.
0
 

Author Closing Comment

by:morten444
ID: 35255303
Hi Thanks
I managed to set it up now and forward outcome to our Spamfilter provider.
Thanks for all your help
0
 

Expert Comment

by:bkort1
ID: 35283078
Hi,

Any more information on this issue would be greatly appreciated.  I have been having the same exact issue for a few months now and can't seem to find any solution to fix it.  Sometimes emails are accepted for delivery but never forward to the mailbox and the connection ends up terminating after awhile.

Thanks,
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
This article outlines some of the reasons why an email message gets flagged as spam on a recipient's end.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question