Solved

Using Wireshark to sniff packets to analyze a potential mail server issue

Posted on 2011-03-22
5
924 Views
Last Modified: 2012-08-14
We are trying to get to the bottom of a mail delivery issue we have.
On our ISP Spamfilter log we get the following in log file:
------------------------------
03-16-11 15:45:31:484 -- (6236) Connection from: 195.41.46.231  -  Originating country : Denmark
03-16-11 15:45:31:546 -- (6236) Received MAIL FROM: <grafitek@tdcspace.dk>
03-16-11 15:45:31:546 -- (6236) Received RCPT TO: morten@e-advice.dk
03-16-11 15:45:31:562 -- (6236) found SPF record for tdcspace.dk: v=spf1 include:mail.dk
03-16-11 15:45:31:562 -- (6236) found SPF record for mail.dk: v=spf1 ptr:mail.dk ptr:tele.dk ptr:mailoption.dk -all
03-16-11 15:45:31:578 -- (6236) SPF query result: pass
03-16-11 15:45:31:578 -- (6236) - SPF analysis for mail.dk done: - pass
03-16-11 15:45:31:578 -- (6236) SPF query result: pass
03-16-11 15:45:31:578 -- (6236) - SPF analysis for tdcspace.dk done: - pass
03-16-11 15:45:31:578 -- (6236) Mail from: grafitek@tdcspace.dk
03-16-11 15:45:33:531 -- (6236) - MAPS search done...
03-16-11 15:45:33:531 -- (6236) RCPT TO: morten@e-advice.dk accepted
03-16-11 15:47:47:828 -- (6236) Disconnect-
------------------------------------------------------
The fault is that morten@e-advice.dk accept to receive but the "body" never arrives and in the end it disconnect after about 100sek

ISP Spamfilter Support said this can be because firewall/Antivirus Software on Server or End users. Problem is that it seems to be only with some users they have the problem.

I now want to use Wireshart to "sniff" any packets from the SMTP Server that is sending the mail to our mail server.
I want to run the program and sniff all coms from IPs: 195.41.46.230 and 195.41.46.231

I just cant understand how to use the application to monitor this.
Is there a way/ or a better way.

I attach a picture of Wireshark user interface in case someone can give me some instruction how to set this up


wireshark.jpg
0
Comment
Question by:morten444
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:m_walker
ID: 35194908
Using wireshark.
I find it best to do a complete caputure for a set period of time, then filter and searh through that file.  This way if you need to check something else (eg: to/from a dns server) then the data will be there.

that said, if there is a lot of traffic the log file will be big, so if you can cause the issue you see "on demand", then get wire shark ready, log and cause the issue, and stop wire shark.

Note: In the screen shot you posted, set the log/capture file, everything else should be ok as a default.

For wire shark to get the data, the data needs to be sent to wire shark.  If you can ID the server you want to record data to/from (eg: your email server), then you can either
a) Install wireshark on that serever and log
or
b) Create a span/mon/mirror port on your switch to send a copy of all data to/from the server port to your monitor port (this feature needs to be support on the switch you have).  Then connect a computer with wire shark to that port and log.

if your switch does not support option b, you can get a HUB (and I mean a hub not a switch) and put that between your server and switch, then connect the wire shark to the same hub.  (with a hub all data will go to all ports..)

Once you are happy you are getting the data you need, we can talk about look through the data and applying filters.

0
 

Author Comment

by:morten444
ID: 35196943
Hi
Thanks for your reply
I have installed WIRESHARK on our mail server
I have the 2 IP i want to trace and I only want this 2 IP as we have seen repeated issues

The mail server receivs about 200.000 mails a days and I think i have to monitor for 2-3 days. Therefore log files will be to big

I have seen in manual that you can log for "net" and type like 192.168.0.0/24
But how do I do if I only want the 2 IP's :195.41.46.230 and 195.41.46.231
What do  I write where?
0
 
LVL 4

Accepted Solution

by:
m_walker earned 500 total points
ID: 35197209
Ok on the capture config page (as above)
Key into the Capture Filter edit box...

host 195.41.46.230 or host 195.41.46.231

This shoudl log any data where one of the IP Address is either of those two.
This should now only log data to / from those hosts.

To test, set the capture running, then ping those two host.  They may not reply to the ping, but it should log your attempt to ping those hosts.

Keep an eye on the log and make sure it does not get too big.  I think that since you are only logging for two hosts its should be ok as you dont expect much data from those two.

Note: Capture filters are different from display filters, but more on that later.
0
 

Author Closing Comment

by:morten444
ID: 35255303
Hi Thanks
I managed to set it up now and forward outcome to our Spamfilter provider.
Thanks for all your help
0
 

Expert Comment

by:bkort1
ID: 35283078
Hi,

Any more information on this issue would be greatly appreciated.  I have been having the same exact issue for a few months now and can't seem to find any solution to fix it.  Sometimes emails are accepted for delivery but never forward to the mailbox and the connection ends up terminating after awhile.

Thanks,
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
Easy CSR creation in Exchange 2007,2010 and 2013
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now