Hello. I have problems with a PC/PCS from my LAN network. One PC made spam on 25 port but i don't know who. My Network is like ex: ROUTER (with wan IP -xxx.xxx.xxx.xxx snd lan IP 192.168.1.1) and many PC's linked to router . I want to install whireshark on a pc from network (192.168.1.2) to monitoring the router to find what PC from LAN made spam on internet. How i can do that with WireShark? asked 29 Apr '12, 06:47 luciffere |
2 Answers:
Unless you can make your router mirror or span the traffic from other ports onto the port to which your Wireshark machine is connected then you will probably not be able to see the traffic as your router is most likely to be a switch and Wireshark will not be able to capture traffic from the other ports. If you post some more info about your router (make and model) and your WAN type (DSL, Cable, Fibre) we may give you more help. See the Capture Setup page on the Wiki for more info about capturing. answered 29 Apr '12, 10:11 grahamb ♦ |
as your router does not support port mirroring, there are two "cheap" options. 1.) Buy a cheap switch that is able to do port mirroring (e.g. HP ProCurve Switch 1810G-8, 8-Port, managed) and plug it between your router and the lan switch of your network. Then connect a sniffer to the mirrord port and filter on 'port 25'. 2.) Add a second network interface to your sniffer PC / Laptop and create a brigde between the two interface. Then connect the router to one interface and the lan switch to the other interface. Start sniffing on any one of the interfaces. DON'T switch off the PC/Laptop, as this will interrupt your internet connection. If you're done with sniffing, re-connect the router to the internal switch. Create a Bridge with Windows 7 Create a Bridge with Linux Regards answered 30 Apr '12, 16:24 Kurt Knochner ♦ edited 30 Apr '12, 16:24 |
My router is ASUS WL520gc and the WAN type is:
WAN Type: Static
IP Address: 82.77.xxx.xxx
Subnet Mask: 255.255.255.224
Gateway: 82.77.xxx.xx
DNS Servers: 217.156.101.10
LAN Interface IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
continue: Firmware Version: 2.0.1.1
OK, that's a "Cable" type wireless router, with the stock firmware it won't mirror or span ports for either the wired or wireless traffic.
If you connected a hub or a switch that could mirror port on the WAN side then although you would be able to see the SPAM traffic, it's likely that the IP addresses of the traffic won't help as your Asus router will have NAT'd them to the WAN IP.
I think you are just going to have to visit each machine and inspect it for the SPAM traffic, either by installing Wireshark or looking at the output of netstat for connections on port 25.