Ethernet monitoring/tracing question
glgxg at sbcglobal.net
Sun Nov 30 04:43:43 UTC 2008
On 11/29/2008 09:24 AM, Bart Silverstrim wrote:
> I was pondering this question regarding tracking a machine on a network.
> I was looking at a traffic dump from Wireshark on a network of roughly
> 800 systems.
> I saw traffic labeled SMTP, destined for a legit mail gateway, but
> originating from IP's outside our network and the traffic being
> broadcast was obvious spam content.
> I'm thinking that since a workstation should not be able to *see*
> network traffic in a 10.xxx network originating from 63.xxx and 83.xxx
> networks and such, these are spoofed.
> Is there a way without playing with the switches and their ports to
> trace what machines sending these email messages? I figure it had to
> have traffic of the actual IP somewhere or the SMTP conversation would
> fail, and I didn't see a MAC address in there.
Yes, but you'd need to provide more detail (off-list is a good idea). My
_guess_ would be that you are being hammered by botnet attempts which
isn't in itself unusual these days. The real concern would be if: 1) one
of those bots are originating from the network, and 2) if you perhaps
have an unsecured relay within the network that the bots can find. I
reckon that Mark Haney would be a good source to assist as he is an SA
for an ISP (ERC Broadband). However, I'd also be quite willing to assist
off-list if you'd like.
More information about the ubuntu-users