I think you could get away with using something like ettercap(http://ettercap.sourceforge.net/) connected to the same switch to collect the traffic going to the gateway. It does some man in the middle sniffing so even in a switched environment you can see all traffic going to another host. Its been a while since i used it but if your prefer to look at the traffic in wireshark it spits out a file thats readable(at least i think it does).
Dennis
On Mon, Mar 24, 2008 at 2:16 PM, Mark Rogers mark@quarella.co.uk wrote:
Wayne Stallwood wrote:
Once you have collected a bit of information it is easy to filter the results down to SMTP traffic only, then filter out your exchange server.
In that case I'll give wireshark a go and if I have any trouble filtering the results sensibly I'll ask for some more advice when I reach that point.
Alternatively things like Netgear DG834's will log dropped packets if you banned SMTP out from anything other than the exchange server. That would quickly point to the culprit and unless there is any explicit reason why everyone needs SMTP outbound I would be tempted to leave that rule in place anyway.
A very good point, and a quick fix if the router is capable. I don't recall the brand but it's handling a 3-site VPN as well as road warriers so (a) its reasonably capable and (b) I'm not in a position to swap it out.
If you are wanting to do this on site then it really starts to depend on how things are set up there. Is it for example a typical SBS setup where the exchange server also happens to be the default gateway for the clients ?
SBS is not a gateway. The gateway is the router, which I am pretty sure has a built in switch (not hub) so I'd have to drop a hub in between the router and anything upstream to catch the traffic. Thanks for reminding me about that - I'd already thought about the traffic not being visible at a switch but had then gone on to think I could solve that by plugging a laptop directly into the router, forgetting that the router is just as much a switch as any of the others on the LAN.
-- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!