Wireshark Setup

BCHCAdmin
BCHCAdmin used Ask the Experts™
on
Hello - I'm trying to find out if someone on our network is inadvertantly sending out spam email because of a virus or spyware.  I have wireshark loaded on my pc and was hoping to be able to look at traffice on port 25 to see if there is a lot of email going out from a certain IP address.  Is this possible?  I have read briefly through their help but I'm not "getting it".  We have a small cisco network and a Cisco ASA firewall.
Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If network is switched, you need to put a port on monitor mode. If you don´t do it, can´t view other host traffic.

Try to block 25 destination port on ASA firewall until discover infected computer.

Commented:
besides the former comment you also has to check the interface is started in promiscuous mode... if not you will only see the traffic sent to/comming out of the sniffing station.

Author

Commented:
Sorry - what do you mean by "put a port on monitor mode?"

Commented:
an ethernet hub is a single "pipe" where the flow of data is exposed on all its ports; sniffing is straightforward.
A switch instead stablishes a number of "dynamic pipes" between sender and recipient where the rest of connected stations are not distubed at all. That's why you cannot sniff so easilly on a switched environment.
A port on monitor mode is a special switch port that receives traffic as a hub port does allowing the sniffer to work correctly.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial