Wayne Stallwood wrote:
Once you have collected a bit of information it is easy to filter the results down to SMTP traffic only, then filter out your exchange server.
In that case I'll give wireshark a go and if I have any trouble filtering the results sensibly I'll ask for some more advice when I reach that point.
Alternatively things like Netgear DG834's will log dropped packets if you banned SMTP out from anything other than the exchange server. That would quickly point to the culprit and unless there is any explicit reason why everyone needs SMTP outbound I would be tempted to leave that rule in place anyway.
A very good point, and a quick fix if the router is capable. I don't recall the brand but it's handling a 3-site VPN as well as road warriers so (a) its reasonably capable and (b) I'm not in a position to swap it out.
If you are wanting to do this on site then it really starts to depend on how things are set up there. Is it for example a typical SBS setup where the exchange server also happens to be the default gateway for the clients ?
SBS is not a gateway. The gateway is the router, which I am pretty sure has a built in switch (not hub) so I'd have to drop a hub in between the router and anything upstream to catch the traffic. Thanks for reminding me about that - I'd already thought about the traffic not being visible at a switch but had then gone on to think I could solve that by plugging a laptop directly into the router, forgetting that the router is just as much a switch as any of the others on the LAN.