Ethernet monitoring/tracing question

NoOp glgxg at
Sun Nov 30 04:43:43 UTC 2008

On 11/29/2008 09:24 AM, Bart Silverstrim wrote:
> I was pondering this question regarding tracking a machine on a network.
> I was looking at a traffic dump from Wireshark on a network of roughly 
> 800 systems.
> I saw traffic labeled SMTP, destined for a legit mail gateway, but 
> originating from IP's outside our network and the traffic being 
> broadcast was obvious spam content.
> I'm thinking that since a workstation should not be able to *see* 
> network traffic in a network originating from and 
> networks and such, these are spoofed.
> Is there a way without playing with the switches and their ports to 
> trace what machines sending these email messages? I figure it had to 
> have traffic of the actual IP somewhere or the SMTP conversation would 
> fail, and I didn't see a MAC address in there.

Yes, but you'd need to provide more detail (off-list is a good idea). My
_guess_ would be that you are being hammered by botnet attempts which
isn't in itself unusual these days. The real concern would be if: 1) one
of those bots are originating from the network, and 2) if you perhaps
have an unsecured relay within the network that the bots can find. I
reckon that Mark Haney would be a good source to assist as he is an SA
for an ISP (ERC Broadband). However, I'd also be quite willing to assist
off-list if you'd like.

More information about the ubuntu-users mailing list