This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SMTP Filter over NLB

0

Hi,

I am trying to filter packets using Wireshark 1.10.5. but am facing some issues and need help. I have two IIS web servers "A" (Primary) and "B" on NLB which has shared web application hosted on it. These web applications sends out mails to users via a smtp mail server and I need to capture this mails.

I set simple capture filter on both the servers for "host <ipaddressofsmtpmailserver>". While I can see the imf messages packets on "B"(and traffic to and from the mailserver to "B"), I get to see only one way traffic on "A"(from mailserver). I am not sure if NLB is the reason . What's wrong?

Thanks Amit

asked 12 Feb '14, 01:48

amitcumar's gravatar image

amitcumar
11112
accept rate: 0%

One Answer:

0

While I can see the imf messages packets on "B"(and traffic to and from the mailserver to "B"), I get to see only one way traffic on "A"(from mailserver).

that's how NLB works. All nodes have the same IP address (with shared cluster MAC addresses) and thus all nodes get the same incoming traffic. One node handles the packet (if the session is in its session table) and all other nodes simply drop that packet. The same holds true for all other nodes. That's how traffic is distributed to all nodes.

See the following links for more information

https://blogs.technet.com/b/networking/archive/2008/10/01/nlb-101-how-nlb-balances-network-traffic.aspx
http://technet.microsoft.com/en-us/library/cc725691.aspx

So, in a NLB cluster, you will always see the whole incoming traffic on all nodes, but the outgoing traffic only on the node that sends something.

Why you don't see any outgoing SMTP traffic on node A could have several reasons

  • node A simply does not send any mails (bug in the software, smtp service crashed, etc.)
  • all clients have the same source address (Proxy or NAT) and thus NLB 'balances' them all to the same node, in your case node B
  • etc.

What's wrong?

I don't know ;-)

  • What happens if you telnet to the SMTP server on port 25 from node A (telnet 1.2.3.4 25)? Do you see that traffic on node A in Wireshark?
  • Is the SMTP service working properly on node A?
  • How is the HTTP traffic distributed to the nodes (see NLB statistics)? Maybe everything ends up on node B and thus node A has nothing to send via SMTP. Maybe NLB is even configured to work in that way: Everything to node B, until it dies, then everything to node A.

Regards
Kurt

answered 12 Feb '14, 02:45

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Feb '14, 02:53

Kurt, I must thank you for the quick comment.

Let me add some more details to the issue - On node A, I can see the SMTP traffic with acknowledgement/response and new mail message ID(generated from the SMTP Server), But can't see the IMFs.

"but the outgoing traffic only on the node that sends something." - I have verified that the traffic was sent out from node A but still the capture did not show this.

I have verified with telnet from both the nodes A and B respectively and am successfully able to send out mail from both the nodes individually. The network capture for this (and without any filter) on node A still captures only oneway acknowledgement(incoming) and ARP traffic only, while node B shows both incoming and outgoing. One important observation, when I drainstop node B, I start seeing both way traffic on node A.

(12 Feb '14, 03:24) amitcumar

The network capture for this (and without any filter) on node A still captures only oneway acknowledgement(incoming) and ARP traffic only, while node B shows both incoming and outgoing.

interesting.

is it possible to post the capture file of both telnet sessions (port 25) from node a and node b (google drive, dropbox, cloudshark.org)?

(12 Feb '14, 03:54) Kurt Knochner ♦

BTW: are the two nodes absolutely identical (same hardware, same software, same OS, same patches, etc.)?

(12 Feb '14, 03:56) Kurt Knochner ♦