Network Monitor
I have a LAN network behind a router/firewall which in turn goes to a cable modem. My cable IP has been blacklisted on 3 spam services. I need to monitor port 25 outbound traffic on my Netgear router. The router offers little or no monitoring abilities. Is there a software solution out there that anyone knows of that can monitor the internal or cable router for outbound SMTP traffic? I need something that is simple to use and will give me alerts when port 25 is flooded. I have a suspicion that one of the client pc's in the office started spamming out port 25. I cannot shut down port 25 because we have a legitimate fax server that pushes out faxes to internal users via email. Please advise.
Grasty86
You could use something like Wireshark, but I dont think it will alert you ... you would just have to set up a filter and watch it.
I believe Spiceworks can do this for you and is free. I haven't used it myself but lots of admins utilize this.
http://www.spiceworks.com/
http://www.spiceworks.com/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The ntop software will do exactly what you need - and give you statistics of all traffic; not only SMTP.
Typically you keep it running on a dedicated PC connected to the switch.
Typically you keep it running on a dedicated PC connected to the switch.
ASKER
Thanks all for the info but I am still confudes. I am an experienced network guy but I never got into the whole data analyzing and such. These programs offer the ability to see the bandwidth. I need to be able to see what is actually going out through my router though. For example - I want to see what SMTP traffic is flowing out of the router and I want to see the headers for the emails. I need to be able to tell if the smtp traffic has stopped. I have multiple users who use Outlook so I can't shut down port 25. I did try to use SNMP but that only shows traffic - not the actual data. Please advise!
Hello,
As I said in my previous post PRTG Port Sniffer is what you need.
From user manual (http://download.paessler.com/download/prtgmanual.pdf) page 496:
As I said in my previous post PRTG Port Sniffer is what you need.
From user manual (http://download.paessler.com/download/prtgmanual.pdf) page 496:
"Monitors the headers of data packets passing a local network card using built-in packet sniffer. You can choose from predefined channels. Only header traffic will be analyzed.Other thing you can try to use is Snort for Windows (or Linux if you have some linux machine) - http://www.snort.org/start/download :
Note: This sensor can be set up on a Probe Device only! By default, you can only monitor traffic passing the PRTG probe system on which's Probe Device the sensor is set up (either a local or remote probe). To monitor other traffic in your network, you can configure a monitoring port (if available) to which the switch sends a copy of all traffic. You can then physically connect this port to a network card of the computer the PRTG probe (either local or remote probe) is running on. This way, PRTG will be able to analyze the complete traffic that passes through the switch. This feature of your hardware may be called Switched Port Analyzer (SPAN), port mirroring, or port monitoring."
SNORT® is an open source network intrusion prevention system capable of performing real-time traffic analysis and packet logging on IP networks. Snort can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort is comprised of two major components: (i) a detection engine that utilizes a modular plug-in architecture (the “Snort Engine”) and (ii) a flexible rule language to describe traffic to be collected (the “Snort Rules”).Regards!
ntop is a very simple program.
It also "listen" to all the traffic on the network, and it automatically create statistics over this traffic, for example:
how much SMTP traffic does each PC send and receive
to which external servers does the SMTP traffic go
...and hundreds of other reports.
You just need to get all the traffic to the PC that has ntop running.
That could be a monitoring port on a switch, or you can use a hub between you switch and firewall, and connect the PC to the hub.
It also "listen" to all the traffic on the network, and it automatically create statistics over this traffic, for example:
how much SMTP traffic does each PC send and receive
to which external servers does the SMTP traffic go
...and hundreds of other reports.
You just need to get all the traffic to the PC that has ntop running.
That could be a monitoring port on a switch, or you can use a hub between you switch and firewall, and connect the PC to the hub.
Hello,
You should create a rule like:
Action Source Source Port Destination Destination Port
Allow Your LAN Any Your Mail Server IP 25
deny Any Any Any 25
To monitor your Network you can use Wireshark (if you have any managable switch then you could Mirror Port).
Or if you have any Linksys Wireless router you could enable Administation>Log.Then you could see incoming and outgoing traffic.I'm not sure about Netgear.
You should create a rule like:
Action Source Source Port Destination Destination Port
Allow Your LAN Any Your Mail Server IP 25
deny Any Any Any 25
To monitor your Network you can use Wireshark (if you have any managable switch then you could Mirror Port).
Or if you have any Linksys Wireless router you could enable Administation>Log.Then you could see incoming and outgoing traffic.I'm not sure about Netgear.