This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

looking for a computer sending out spam how do I find it using wireshark?

0

I am looking for a computer sending email, I have an IP of the source, I am trying to locate the machine. It is internal on our domain, we are using NAT. The emails are getting blocked, I am just trying to the computer, any ideas. All the posts I read, is to use wireshark. I have version 1.6.7

Thank you

coz

asked 15 Jun '12, 07:56

Coz's gravatar image

Coz
1111
accept rate: 0%


2 Answers:

0

if you have the IP address of the machine, you don't necessarily need wireshark. There are several options:

If it's a windows machine:

  • run this command on a computer that is a member of the domain: nbtstat -a x.x.x.x. Maybe you can spot the computername or even a logged on user in the output (depends on some settings in the domain)
  • Mount the C drive of that machine and check the local copy of the domain profiles to figure out who is working on that computer: net use * \\x.x.x.x\c$. The domain admin account will give you access to that share.

If it's not a windows machine, or nbtstat did not help:

  • ping it from a computer in the same network: ping x.x.x.x
  • get the mac address: arp -a | find "x.x.x.x"
  • Go to your network admin and ask him to give you the port on the switch where that MAC address is connected to.
  • Follow the cable to the machine

Regards
Kurt

answered 15 Jun '12, 08:02

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 15 Jun '12, 08:12

Great Information but:

I have an IP of the source of the email, it's external (112.xxx.xxx.xxx). But I do not have the internal machine, which are (10.xxx.xxx.xxx). The emails are going through email server, but they are being blocked at the gateway. Like I said I have the source IP, someone might be telneting or remoting with the source IP. I am trying to locate machine that is being used on our network.

Thank you,

Coz

(15 Jun '12, 08:11) Coz

BTW: If you add a comment to my answer it will be easier to follow the conversation.

O.K. I thought the IP is on your LAN as you said: "it is internal on our domain".

Anyway, in that case you need Wireshark.

  • Run wireshark on a mirror port of your internal mail server. See here how to do that: http://wiki.wireshark.org/CaptureSetup/Ethernet
  • Run Wireshark with this capture filter "port 25" (see wiki, if you don't know how to do it)
  • Sniff until you think there is enough data (some minutes, maybe hours)
  • Analyze the data by looking for some string pattern you know to be in the spam mail. Use this display filter: tcp contains "string in spam mail"
  • As soon as you find a match, look at the source IP address in Wireshark. It it's not the mail server, it's the IP address of the spammer.

CONSTRAINT: if the spammer sends mail through MAPI (exchange), you need a different capture filter. Try SMTP (port 25) first and see what you find.

(15 Jun '12, 08:21) Kurt Knochner ♦

thanks,

I will try that. Also sorry about the confusion on the post

Coz

(15 Jun '12, 09:41) Coz

0

If whatever machine is doing the NAT keeps a record of the internal-IP+port-to-external-IP+port mappings it has in effect at particular times, and you know what time the spam was sent, you could try using that.

answered 15 Jun '12, 10:40

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%