Packet Filtering information required

60 pts.
Network security
packet analysis
Packet filtering
Packet Sniffing
Hi, One of our PC which is running on REDHat is sending SMTP packets to the firewall. Though the firewall drops the packet, it logs the same. We wanted to know : 1. IF we have to run a packet capture tool, where do we run ? - on the firewall or the PC ? 2. We ran network monitoring tool, but did not find any service / application on the rouge PC that is sending smtp packets. How do I trace back to the service / application ? Thanks in advance Regards Jagdish

Answer Wiki

Thanks. We'll let you know when a new response is added.

netstat will show you the connections in use and should also show you the PID of the process making the connection. You can capture at either location, but it may be better to span the client switch port to an analyzer port or hub out with an analyzer on the client link.

Discuss This Question: 2  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • petkoa
    Hi, May be there is a quite legitimate reason for the redhat box to send mail ("smtp packets") - e.g., a cron job is outputting somthing, this automatically is mailed to the user to whom the cron job belongs. Generally, you can recognize this kind of activity by its periodicity - but not always, e.g. job running every hour, but outputting some information on irregular basis... Then, netstat will not be very useful in your case - either you have the mailer daemon running (which is normal) and port 25 is open all the time, or your "offending" process (or legitimate cron) is starting mailer when it is needed - which is hardly predictable, as I discussed earlier. I am not really sure what to advice - may be, you'll inspect maillogs; if cron or some other legitimate job is the culprit, they will not hide their mailings from logging; otherwise, set a "mail proxy" on the firewall, which intercepts this mailing activity (and may be run ident daemon on the redhat box so to give more information about the sending user) and inspect the mails. Good luck, Petko
    3,140 pointsBadges:
  • Gnsc
    What software is running on the RH box??? Try running Wireshark or another packet sniffer either inline to the PC or via a span port on the PC's switch. It should capture not only the activity but the packets themselves so they can be reviewed. This will also show you if there is a pattern to the traffic. Look at the destination of the packets for a clue. Look at the packets to see if they really are SMTP or just spurious stuff talking to port 25. Best way to solve a problem is have as much info as possible. This is the starting point.
    20 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: