Monitoring traffic to basic routers

I've got a very basic d-link router and it doesn't have any kind of built in NAT or traffic monitoring. All users have the router as their default gateway so all net access they use goes direct to the IP of the router, ofcourse.

I was wondering if there is some freeware Software (or something quite cheap) that can intercept all traffic from all PCs going to a certain IP (in this case it's the router IP) and tell me which ports they are using to send/receive traffic. Cheers.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

astorrs

Do you have a managed switch that can mirror the traffic on the routers port? (I'm assuming not, given the D-Link, but it never hurts to ask).

mr2nut

You assume right unfortunately. It's a very basic network. The problem I have is, one of the client PCs is spamming out port25 and they have had their static IP blocked for spamming, so i'm just trying to find out centrally, which PC is doing it.

RussS

What model D-link is it?

sprkymrk

How many computers are you talking about here? And when you say his staitc IP has been blocked, do you mean the static IP on the computer or the static IP on the router WAN interface?

I would suggest hooking up a 100MB hub temporarily ahead of the d-link if it's a small network, and run tcpdump on a computer hooked to it with a filter to listen for port 25 traffic.

tcpdump -i eth0 -w /smtp.pcap port 25

This is assuming your ethernet port is eth0 and you want to save the **** to a file called smtp.pcap. You can open and read the **** file later like this:

tcpdump -r /smtp.pcap

Or if you only have Windows machines, install wireshark to capture/read the packets.

One other possibility is if the D-Link can be configured to block outbound port 25 connections, then read the logs to see where the most traffic is coming from.

shednik

I'd say Marks idea is probably your best bet for the setup you have...

mr2nut

sprkymrk wrote:

How many computers are you talking about here? And when you say his staitc IP has been blocked, do you mean the static IP on the computer or the static IP on the router WAN interface?

I would suggest hooking up a 100MB hub temporarily ahead of the d-link if it's a small network, and run tcpdump on a computer hooked to it with a filter to listen for port 25 traffic.

tcpdump -i eth0 -w /smtp.pcap port 25

This is assuming your ethernet port is eth0 and you want to save the **** to a file called smtp.pcap. You can open and read the **** file later like this:

tcpdump -r /smtp.pcap

Or if you only have Windows machines, install wireshark to capture/read the packets.

One other possibility is if the D-Link can be configured to block outbound port 25 connections, then read the logs to see where the most traffic is coming from.

I looked at tcpdump but the downloads are .gz, i'm assuming it's a Linix based bit of Software? I've downloaded Wireshark but from what I can see, you can only capture traffic coming from the PC and not capture traffic heading for a remote IP which is ideally what i'm after. If there was 1 or 2 PCs on the Network Wireshark would do the job but there's a fair few PCs so if I could do it centrally that would be good.

The D-Link doesn't have any kind of logging at all. It's a really old rubbish router to be fair.

meadIT

mr2nut wrote:

I looked at tcpdump but the downloads are .gz, i'm assuming it's a Linix based bit of Software? I've downloaded Wireshark but from what I can see, you can only capture traffic coming from the PC and not capture traffic heading for a remote IP which is ideally what i'm after. If there was 1 or 2 PCs on the Network Wireshark would do the job but there's a fair few PCs so if I could do it centrally that would be good.

The D-Link doesn't have any kind of logging at all. It's a really old rubbish router to be fair.

This is why he suggested setting up a hub before the router and plug your monitoring PC into it. The traffic that is going to the router would be sent to the hub and the hub would then broadcast it to both the router and your monitoring PC where wireshark would pick it up.

120nm4n

As long as you have a hub between the DLink and the rest of your network and the Wireshark box connected to the hub, Wireshark will gather any packets from the network. It's in promiscuous mode, so it will collect all network traffic.

mr2nut

Ahhh, I see what your getting at now. Cheers guys, good thinking