Hello, I need to make sure that our data flow, specifically our email flow, is following a certain path, or I should say to find out what path it comes in and out of our network. For example, when email enters our network we want to make sure that it flows seamlessly in a correct manner as well as when it leaves our network, not looping around, getting stuck somewhere for unnecessary amount of time, etc.. Our network is quite complex so I want to know if there is a way I can follow email traffic and see the actual path it takes from the client to the gateway and vice versa. I would like to see some sort of report I can look at to see all the different devices it stops at etc..Is it possible to do this with Wireshark? Thanks!
asked 22 Mar '11, 14:11
No. You can't unless you capture at every single router hop. There are many factors that complicate this. For example, when you have redundant paths in the network, the forwarding decision is not made based on the routing table (RIB) but the forwarding table (FIB). So things like Cisco's CEF come into picture. But I think you're worried about the wrong things.
Your network can't be that complicated, and if routing loops are common enough to worry about, then the infrastructure is fundamentally flawed.
In a modern day network, routers and switches are rarely the bottleneck. Especially if you're talking about email servers.
What you may want to analyze are TTL fields as the packets traverse your network. So long as it doesn't vary by that much, you are most likely taking the same route.
Do you have a Cisco based network? If so, I have a Visio program that maps out the network at the CEF level. So the macro takes source IP, source IP's GW, and destination. It then logs into every router and looks at the CEF table. It only works for IOS based routers and will not work on Nexus platform.
answered 23 Mar '11, 16:36
IP has an option that encourages routers to record their own IP address in the IP header. Try this on a Windows system:
The option "-r 9" leaves room for a maximum of 9 devices to record their IP address.
The option is from the "good old days" of the Internet. So your firewall, IPS or other device might drop the packet because we most networks don't need any option in the IP header.
If you just want to see which mail servers process the message: Try looking at the X-headers where the mail servers, SPAM gateways and virus filters all leave a time stamp (including their IP address). These headers are usually hidden from the user. Each program has an option to make them visible.
answered 24 Mar '11, 09:57
edited 24 Mar '11, 09:59
Since you are precisely referring to email flow - why don't check email headers in any email client to see what all smtp relay servers it has used. That should give you directions of the exact mail flow.
answered 25 Mar '11, 01:47