Wireshark Setup

BCHCAdmin used Ask the Experts™
Hello - I'm trying to find out if someone on our network is inadvertantly sending out spam email because of a virus or spyware.  I have wireshark loaded on my pc and was hoping to be able to look at traffice on port 25 to see if there is a lot of email going out from a certain IP address.  Is this possible?  I have read briefly through their help but I'm not "getting it".  We have a small cisco network and a Cisco ASA firewall.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If network is switched, you need to put a port on monitor mode. If you don´t do it, can´t view other host traffic.

Try to block 25 destination port on ASA firewall until discover infected computer.

besides the former comment you also has to check the interface is started in promiscuous mode... if not you will only see the traffic sent to/comming out of the sniffing station.


Sorry - what do you mean by "put a port on monitor mode?"

an ethernet hub is a single "pipe" where the flow of data is exposed on all its ports; sniffing is straightforward.
A switch instead stablishes a number of "dynamic pipes" between sender and recipient where the rest of connected stations are not distubed at all. That's why you cannot sniff so easilly on a switched environment.
A port on monitor mode is a special switch port that receives traffic as a hub port does allowing the sniffer to work correctly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial