Monitoring traffic to basic routers

mr2nutmr2nut Member Posts: 269
I've got a very basic d-link router and it doesn't have any kind of built in NAT or traffic monitoring. All users have the router as their default gateway so all net access they use goes direct to the IP of the router, ofcourse.

I was wondering if there is some freeware Software (or something quite cheap) that can intercept all traffic from all PCs going to a certain IP (in this case it's the router IP) and tell me which ports they are using to send/receive traffic. Cheers.

Comments

  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    Do you have a managed switch that can mirror the traffic on the routers port? (I'm assuming not, given the D-Link, but it never hurts to ask).
  • mr2nutmr2nut Member Posts: 269
    You assume right unfortunately. It's a very basic network. The problem I have is, one of the client PCs is spamming out port25 and they have had their static IP blocked for spamming, so i'm just trying to find out centrally, which PC is doing it.
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    What model D-link is it?
    www.supercross.com
    FIM website of the year 2007
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    How many computers are you talking about here? And when you say his staitc IP has been blocked, do you mean the static IP on the computer or the static IP on the router WAN interface?

    I would suggest hooking up a 100MB hub temporarily ahead of the d-link if it's a small network, and run tcpdump on a computer hooked to it with a filter to listen for port 25 traffic.

    tcpdump -i eth0 -w /smtp.pcap port 25

    This is assuming your ethernet port is eth0 and you want to save the **** to a file called smtp.pcap. You can open and read the **** file later like this:

    tcpdump -r /smtp.pcap

    Or if you only have Windows machines, install wireshark to capture/read the packets.

    One other possibility is if the D-Link can be configured to block outbound port 25 connections, then read the logs to see where the most traffic is coming from.
    All things are possible, only believe.
  • shednikshednik Member Posts: 2,005
    I'd say Marks idea is probably your best bet for the setup you have...
  • mr2nutmr2nut Member Posts: 269
    sprkymrk wrote:
    How many computers are you talking about here? And when you say his staitc IP has been blocked, do you mean the static IP on the computer or the static IP on the router WAN interface?

    I would suggest hooking up a 100MB hub temporarily ahead of the d-link if it's a small network, and run tcpdump on a computer hooked to it with a filter to listen for port 25 traffic.

    tcpdump -i eth0 -w /smtp.pcap port 25

    This is assuming your ethernet port is eth0 and you want to save the **** to a file called smtp.pcap. You can open and read the **** file later like this:

    tcpdump -r /smtp.pcap

    Or if you only have Windows machines, install wireshark to capture/read the packets.

    One other possibility is if the D-Link can be configured to block outbound port 25 connections, then read the logs to see where the most traffic is coming from.

    I looked at tcpdump but the downloads are .gz, i'm assuming it's a Linix based bit of Software? I've downloaded Wireshark but from what I can see, you can only capture traffic coming from the PC and not capture traffic heading for a remote IP which is ideally what i'm after. If there was 1 or 2 PCs on the Network Wireshark would do the job but there's a fair few PCs so if I could do it centrally that would be good.

    The D-Link doesn't have any kind of logging at all. It's a really old rubbish router to be fair.
  • meadITmeadIT Member Posts: 581 ■■■■□□□□□□
    mr2nut wrote:
    I looked at tcpdump but the downloads are .gz, i'm assuming it's a Linix based bit of Software? I've downloaded Wireshark but from what I can see, you can only capture traffic coming from the PC and not capture traffic heading for a remote IP which is ideally what i'm after. If there was 1 or 2 PCs on the Network Wireshark would do the job but there's a fair few PCs so if I could do it centrally that would be good.

    The D-Link doesn't have any kind of logging at all. It's a really old rubbish router to be fair.

    This is why he suggested setting up a hub before the router and plug your monitoring PC into it. The traffic that is going to the router would be sent to the hub and the hub would then broadcast it to both the router and your monitoring PC where wireshark would pick it up.
    CERTS: VCDX #110 / VCAP-DCA #500 (v5 & 4) / VCAP-DCD #10(v5 & 4) / VCP 5 & 4 / EMCISA / MCSE 2003 / MCTS: Vista / CCNA / CCENT / Security+ / Network+ / Project+ / CIW Database Design Specialist, Professional, Associate
  • 120nm4n120nm4n Member Posts: 116
    As long as you have a hub between the DLink and the rest of your network and the Wireshark box connected to the hub, Wireshark will gather any packets from the network. It's in promiscuous mode, so it will collect all network traffic.
    WIP: MCITP: EA
    70-620 - Done
    70-647 - In Progress
    70-649 - Soon.
  • mr2nutmr2nut Member Posts: 269
    Ahhh, I see what your getting at now. Cheers guys, good thinking
Sign In or Register to comment.