Monitor Traffic on VLAN

[ngazzano]

How do I configure a port so that I can monitor the type of traffic on a certain VLAN. We're trying to catch a spammer on our network and we want to be sure we know where the spam is comming from before making any assumptions. Mirroring the port doesn't work, or maybe I'm configuring the port wrong.

 

[rn4it]

I've used port mirroring a few times, without knowing your network or what you're expecting to see it's hard to say. I have a couple questions to ask.
1- Are they using you email server to relay or going directly out? If it's using yours how many email servers in your environment?
2- Do you have a Firewall that you can use it's log file.

I would use you logfiles to screen it down to any area. Then use the port mirroring to monitor one interface(ie email server, vlan trunk port). What Kind of switches are you using? summit48,48i,200 etc? I'll upload a config once I'm sure or post what you used.

 

[ngazzano]

using Summit 48si

We've got a pix 506

in particular we're looking for smtp traffic on a specific VLAN.

We've got 5 mail servers.

 

[rn4it]

Is this spammer relaying off your email servers? If so anyone in particular? If so then mirror that port with a sniffer, ethereal is nice and free. patch the laptop into the specific switch that you email server is on. On the summit type the following:
config mirroring add por <port number> #email server
en mirroring por <port number> #sniffer

or
enab mirroring port <port number>
conf mirroring add po <port number> vlan <vlan name>

I'd play with it in the testlab first, the mirroring port can't be used for anything but capturing data.

If the spammer is by passing your email servers, then I'd setup logging on your FW. Can't help you there, not familiar with PIX.
Happy hunting

 

[ngazzano]

We've tried that, I need something to log the source of the traffic. Our attacker isn't consistent in terms of time. We need something passive that will log the source of the traffic. It's getting to the point where smtp serivce is shutting down because of overload.

 

[ngazzano]

We just tried the setup again but the the laptop that we have set up as the sniffer is only picking up its own traffic, nothing from any other ports. How do I configure the port to get it to work right.

 

[rn4it]

Let's say you're patching your sniffer into port 1 and the vlan's name is abc. The configuration would be as follows.
enable mirroring port 1 <enter>
config mirroring vlan abc <enter>

that's it, what sniffer are you using and it's version?

 

[ngazzano]

ethereal v. 0.9.7

 

[rn4it]

I've used older versions then that and not had a problem. Just to confirm, you are patching your sniffer into the same switch that your email servers are patched into. Correct?

I've done port mirroring on S48si's mirroring VLANs for an IDS system and had no problems. What does a show mirroring cmd show you?

 

[ngazzano]

When I do a show mirroring it displays
port 27 <-email server> mirrored to port 30<-sniffer port>

 

[rn4it]

Not sure what else to say, we had a similiar issue with a S200. What I did to get the capture is take a hub and patch my sniffer and the device I wanted to capture into the hub and uplink the hub into the switch. Got the capture so I could resolve the issue and I'm going to look further into the issue of port mirroring with Extreme and the Eathereal.

 

[ngazzano]

I'll try it with a hub, maybe it'll work. Does it matter if the ports are in the same vlan?

 

[rn4it]

No the port that you're using as the mirror port(sniffer) will actually be removed from all vlans. It can't be used to send any traffic.