We help IT Professionals succeed at work.

Network Monitor

robdijo
robdijo used Ask the Experts™
on
I have a LAN network behind a router/firewall which in turn goes to a cable modem.  My cable IP has been blacklisted on 3 spam services.  I need to monitor port 25 outbound traffic on my Netgear router.  The router offers little or no monitoring abilities.  Is there a software solution out there that anyone knows of that can monitor the internal or cable router for outbound SMTP traffic?  I need something that is simple to use and will give me alerts when port 25 is flooded.  I have a suspicion that one of the client pc's in the office started spamming out port 25.  I cannot shut down port 25 because we have a legitimate fax server that pushes out faxes to internal users via email.  Please advise.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You could use something like Wireshark, but I dont think it will alert you ... you would just have to set up a filter and watch it.
Raymond PengSystems Engineer

Commented:
I believe Spiceworks can do this for you and is free.  I haven't used it myself but lots of admins utilize this.

http://www.spiceworks.com/
Hello,

You can try PRTG Port Sniffer http://www.paessler.com/info/port_sniffer or PRTG Network monitor http://www.paessler.com/prtg.

It is a really good tool, and simple to install and configure.

Regards!

Commented:
The ntop software will do exactly what you need - and give you statistics of all traffic; not only SMTP.

Typically you keep it running on a dedicated PC connected to the switch.

Author

Commented:
Thanks all for the info but I am still confudes.  I am an experienced network guy but I never got into the whole data analyzing and such.  These programs offer the ability to see the bandwidth.  I need to be able to see what is actually going out through my router though.  For example - I want to see what SMTP traffic is flowing out of the router and I want to see the headers for the emails.  I need to be able to tell if the smtp traffic has stopped.  I have multiple users who use Outlook so I can't shut down port 25.  I did try to use SNMP but that only shows traffic - not the actual data.  Please advise!
Hello,

As I said in my previous post PRTG Port Sniffer is what you need.
From user manual (http://download.paessler.com/download/prtgmanual.pdf) page 496:
"Monitors the headers of data packets passing a local network card using built-in packet sniffer. You can choose from predefined channels. Only header traffic will be analyzed.

Note: This sensor can be set up on a Probe Device only! By default, you can only monitor traffic passing the PRTG probe system on which's Probe Device the sensor is set up (either a local or remote probe). To monitor other traffic in your network, you can configure a monitoring port (if available) to which the switch sends a copy of all traffic. You can then physically connect this port to a network card of the computer the PRTG probe (either local or remote probe) is running on. This way, PRTG will be able to analyze the complete traffic that passes through the switch. This feature of your hardware may be called Switched Port Analyzer (SPAN), port mirroring, or port monitoring."
Other thing you can try to use is Snort for Windows (or Linux if you have some linux machine) - http://www.snort.org/start/download :
SNORT® is an open source network intrusion prevention system capable of performing real-time traffic analysis and packet logging on IP networks. Snort can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort is comprised of two major components: (i) a detection engine that utilizes a modular plug-in architecture (the “Snort Engine”) and (ii) a flexible rule language to describe traffic to be collected (the “Snort Rules”).
Regards!

Commented:
ntop is a very simple program.
It also "listen" to all the traffic on the network, and it automatically create statistics over this traffic, for example:

how much SMTP traffic does each PC send and receive
to which external servers does the SMTP traffic go

...and hundreds of other reports.

You just need to get all the traffic to the PC that has ntop running.

That could be a monitoring port on a switch, or you can use a hub between you switch and firewall, and connect the PC to the hub.
Khandakar Ashfaqur RahmanExpert/Consultant

Commented:
Hello,
You should create a rule like:

Action   Source        Source Port   Destination                     Destination Port
Allow   Your LAN      Any               Your Mail Server IP         25
deny    Any              Any               Any                                  25

To monitor your Network you can use Wireshark (if you have any managable switch then you could Mirror Port).

Or if you have any Linksys Wireless router you could enable Administation>Log.Then you could see incoming and outgoing traffic.I'm not sure about Netgear.