• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Need to find a machine

RadiclDreamer

RadiclDreamer

Diamond Member
I have a machine on one of my vlans that is generating a ton of smtp traffic. I am having trouble locating it since we have around 1500 machines in a fairly large building. We have since blocked port 25 on that vlan but we really want to find the machine and disable it. Any ideas of how to do this
 
use ethereal to find out the ip / mac of the machine. search your switches ARP tables for the offending mac and correlating port number. then, its hammer time!

i usually just disable the port and wait for the user to find me 😛 mwuaha
 
Well, I've never used ethereal personally. Any tips? Do I just start it on the same vlan as the offending host? I cant really tell much about the traffic since our NAM module went out and we are working on getting it back up. The only way we knew it was sending smtp en mass is because we got a letter from our ISP network abuse department.
 
You'll have to define a rule to log SMTP traffic coming from the inside.

Also, about the note from your provider - it is best practice to block all outbound SMTP except from your mail gateways.
 
spidey's method would indeed be easier, but if its not an option...

create a SPAN port with the VLAN interface, plug in a laptop running ethereal in promiscuous mode, and start sniffing. if the machine is as talkative as you say, it should show up almost immediatly.

apply a filter (or sort by protocol) and find your offending machine!
 
You need to be looking at wireshark. Ethereal changed to wireshark a few years ago. You can search on various things, and I'm sure you could filter for SNMP packets. Once you have one of the packets you should be able to get the IP address and the MAC address. If you want to be sure you can filter on the IP address and the packet being SNMP once you have the right IP address wireshark should show loads of packets.

Rob.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top