This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm trying to track down network traffic coming from my Exchange server that is going to an external IP address that is in China according to Network Solutions.

My firewall logs show TCP traffic on various uncommon ports being sent from the Exchange server to several IP addresses in China. They are being sent out on TCP ports such as 5296, 31671, etc. Because of the way I've configured my firewall, the packets are being dropped, so they aren't getting sent out, but I'd like to track down what it is on the server that is sending them.

I've run a capture on my Exchange server using Wireshark. I matched an IP address and TCP port from one of these firewall logs to an entry in the capture in Wireshark.

What I'm trying to figure out is what on the Exchange server originated this packet. When I highlight the entry in the capture window, and then expand Ethernet II SRC in the 2nd window, it lists the source as HewlettP_e3:4b:2c. I've noticed that almost every entry in the capture list shows these source and destination entries to be HewlettP_, Cisco_, Fortinet_, Dell_, etc. I don't understand how to interpret this, as it seems odd to me that something from a HP printer or other device on my server would be sending packets to an IP address in China. What exactly are these listings (HewlettP_, Cisco_) in the Ethernet II section and what do they actually represent.

I've spent several hours searching for this information and have yet to find an answer. I also read the manual. I've found mentioned of the Ethernet II section of the results, but no detailed explanation on what these entries mean. Can someone help?

asked 08 Jul '11, 09:49

alienux's gravatar image

alienux
6113
accept rate: 0%

edited 08 Jul '11, 09:55


What you are looking at is the MAC address of the adapters involved, which will probably not be very helpful for what you are looking for. The reason it shows up as Dell_xx:xx:xx is that Wireshark is making a guess about who manufactured the device based on the MAC address (Dell for Dell_, HP for HP_, etc). This is done because each manufacturer uses certain MAC prefixes in their devices --the full MAC address is the one in parenthesis next to the string you are looking at.

What will probably be more helpful to you is examining the running programs on your server. Can you see what programs and services are running on your server when these events happen?

permanent link

answered 08 Jul '11, 10:30

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

Ok, thanks for the info. That clears up a lot about the Ethernet II entries.

As far as things running on the server, yes, I have looked at what is running and haven't found anything that looks unusual. However, I'm going to try to get some more details using something like Process Explorer or an app that shows threads instead of just running processes and I'm hopeful that one of those apps will provide some more info.

Thanks for your answer.

(08 Jul '11, 11:48) alienux

to check which program is using the suspicious ports you can use the "netstat -ano" command on the command line. It will give you a list of all ports in use and tell you which process owns which port. You should only find programs that are supposed to be running on that server (and using ports), everything else is suspicious. Determining which is which can be tricky though.

(08 Jul '11, 11:50) Jasper ♦♦

Although I'm a Wireshark guy, Microsoft's Network Monitor my help you out here, as that can show the ID of the process sending the data. Wireshark can load captures from NetMon, but can't display the process info.

netstat with the -b flag can show the process ID associated with a socket if run with admin privs, and there is also TCPView from SysInternals that is a graphical version of netstat.

permanent link

answered 08 Jul '11, 14:17

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks Jasper and grahamb, I'll look into those as well.

(11 Jul '11, 05:07) alienux
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×87
×6
×1
×1

question asked: 08 Jul '11, 09:49

question was seen: 12,948 times

last updated: 11 Jul '11, 10:02

p​o​w​e​r​e​d by O​S​Q​A