This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

monitoring packet flow

0

Hello, I need to make sure that our data flow, specifically our email flow, is following a certain path, or I should say to find out what path it comes in and out of our network. For example, when email enters our network we want to make sure that it flows seamlessly in a correct manner as well as when it leaves our network, not looping around, getting stuck somewhere for unnecessary amount of time, etc.. Our network is quite complex so I want to know if there is a way I can follow email traffic and see the actual path it takes from the client to the gateway and vice versa. I would like to see some sort of report I can look at to see all the different devices it stops at etc..Is it possible to do this with Wireshark? Thanks!

asked 22 Mar '11, 14:11

tolinrome's gravatar image

tolinrome
11223
accept rate: 0%


3 Answers:

2

No. You can't unless you capture at every single router hop. There are many factors that complicate this. For example, when you have redundant paths in the network, the forwarding decision is not made based on the routing table (RIB) but the forwarding table (FIB). So things like Cisco's CEF come into picture. But I think you're worried about the wrong things.

Your network can't be that complicated, and if routing loops are common enough to worry about, then the infrastructure is fundamentally flawed.

In a modern day network, routers and switches are rarely the bottleneck. Especially if you're talking about email servers.

What you may want to analyze are TTL fields as the packets traverse your network. So long as it doesn't vary by that much, you are most likely taking the same route.

Do you have a Cisco based network? If so, I have a Visio program that maps out the network at the CEF level. So the macro takes source IP, source IP's GW, and destination. It then logs into every router and looks at the CEF table. It only works for IOS based routers and will not work on Nexus platform.

answered 23 Mar '11, 16:36

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

1

IP has an option that encourages routers to record their own IP address in the IP header. Try this on a Windows system:

ping -r 9 1.2.3.4

The option "-r 9" leaves room for a maximum of 9 devices to record their IP address.

The option is from the "good old days" of the Internet. So your firewall, IPS or other device might drop the packet because we most networks don't need any option in the IP header.

If you just want to see which mail servers process the message: Try looking at the X-headers where the mail servers, SPAM gateways and virus filters all leave a time stamp (including their IP address). These headers are usually hidden from the user. Each program has an option to make them visible.

Good hunting!

answered 24 Mar '11, 09:57

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

edited 24 Mar '11, 09:59

But because the header doesn't have the room to record the full route, it's not much use in a modern day network. But if you're persistent enough, you could go from router to router (radius of the record option limitation) and map it out. The only other caveat however, is that CEF behavior can change based on tcp port numbers. It's easy enough for someone to include port numbers in the CEF hash calculation, so traceroute/ping-record may not take the same hop. Just something to be aware of.

(24 Mar '11, 16:16) hansangb

0

Since you are precisely referring to email flow - why don't check email headers in any email client to see what all smtp relay servers it has used. That should give you directions of the exact mail flow.

answered 25 Mar '11, 01:47

Vijay%20Gharge's gravatar image

Vijay Gharge
36151620
accept rate: 0%