MSExchangeMTA Error and I not sure how to follow MS instructions 2

[ftoddt]

Its a event ID of 9220 Source MSExchangeMTA
Message:
A sockets error {error code} on an open() call was detected. The MTA will attempt to recover the sockets connection. Control block index: {index name}. [{value}{value}{value}{value}] (12)

Now Microsoft says use Use Network Monitor to capture Network Traces, then view these traces from Network Monitor for any network issue. Contact Microsoft Product Support Services for assistance.
Microsoft further says
This problem may occur when there is insufficient bandwidth or many network errors.It may be due to heap corruption when two or more threads in the message transfer agent (MTA) try to access the same data structures without proper synchronization. This problem has been particularly noted in networks in which many associations are being opened and closed between MTAs. Frequently, these MTA failures are associated with slow and unreliable
connections.

Ok so I have shown everyone what Microsoft says. I am trying to learn Ethereal packet sniffing and I can run a scan on the exchange server but not sure how to filter or what exactly to look for. We are a win2k organization with Exchange 2000.
Any and all advise is again greatly appreciated.
Thanks

 

[Castor66]

Ok. Ethereal is good for analyzing packets but can be a bit of a pain when trying to capture packets. A better option is to use 'tcpdump' to do the capture and then use Etheral to do the analysis.

Using tcpdump is pretty striaghtforward. First you need to identify the interface to monitor, so enter:

tcpdump -D

This will list all the interfaces on your machine. Make a note of the number of the interface you want to monitor, e.g. interface 4.

Now, do a test monitor to ensure that you are getting packets:

tcpdump -i 4 -c 200

This will monitor interface 4 and display 200 packets on the screen. If that works you are ready to do some capturing.

tcpdump -i 4 -c 5000 -f mail.out

This will capture 5000 packets from interface 4 and store them in file mail.out. You can then open this in Etheral and have a look. Note that this captures all packets.

tcpdump -i 4 -c 5000 -f mail.out port 25 or 110 or 143

This will capture only SMTP, POP3 and IMAP packets on I/F 4. If you have a specific host that you ahve problems with then you can use

tcpdump -i 4 -c 5000 -f mail.out (host somehost.domain.com) and (port 25 or 110 or 143)

Again, opent the mail.out trace in Ethereal and view the results. What you want to try and do is follow ethernet conversations to see if anything anomalous pops up. The only way to do this is to idntify what you consider to be good conversations and then look for ones that seem strange. A strange one would be lots retries, very large packets, long conversations, etc, etc. Using Ethereal is a bit like panning for gold. You will have to wade through a lot of crap before you find the nuggets.

Hope this helps.

 

[ftoddt]

Castor66,
Thank You for your time and wonderful examples of how to use tcpdump. I will try it first chance I get and let you know how it comes out. As you can tell, I am really new at this and definitely need help. This site has always been extremely good to me and I thank you.
Todd