[PLUG] Using Wireshark

Fri Dec 19 23:57:03 UTC 2008

> Since the first part survived, here's the e-mail without the quote from
> Comcast's e-mail.
>
> I got an e-mail from Comcast this morning. It includes the following:
>
> (I'll skip the quote. Their e-mail told me that they reconfigured my
> cable modem to prevent sending e-mail through port 25. They instructed
> me to switch Thunderbird to port 587.)
>
> First thing this morning, I called the Comcast tech support 888 number
> and asked if this sounded like a bogus e-mail; it looked OK to me -- all
> of the links were to comcast.net -- but one never knows these days. He
> said that it was valid, and that port 587 is a valid port for sending
> e-mail through comcast.net.
>
> I also asked if the reason I got it was because it is likely that one of
> my machines is infected with some program that is sending out bogus
> e-mail. He allowed as how that it is likely the case.
>
> So, I changed Thunderbird's outgoing server setting to use port 587,
> tested sending some e-mail, and found that everything works.
>
> Now, I want to figure out what machine -- if any -- in the house is
> causing trouble. I'm assuming I can use Wireshark to watch the traffic
> on the switch to which this machine (Ubuntu) is connected, but that it
> won't be able to look at any other traffic on the other router ports
> (network topology below). I suspect my XP laptop, because it has been
> booting pretty slowly of late, so I'll start with that. If I don't find
> anything, then I'll look into re-configuring my network.
>
> So, now on to setting up and using Wireshark.
>
> I installed it on my Ubuntu Hardy machine using Synaptic. I started the
> program and realized that I have no idea what to do with it. I Googled
> around and found a How-To on the Wireshark site:
>
> http://www.wireless-nets.com/resources/tutorials/sniff_packets_wireshark.html
>
> The first thing it wants me to do is to, "configure Wireshark to
> interface with an 802.11 client device;" or I'll "get an alert 'No
> capture interface selected!'"
>
> When I choose Capture > Interfaces from the Wireshark menu I get a
> window with the title Wireshark: Capture Interfaces. It has a column
> header line that says, Device Description   IP   Packets   Packets/s.
> There is no list of devices below that header line.
>
> Any ideas on what step Synaptic didn't include, or I didn't know I
> needed to do?
>
> TIA.
>
> Here's my network topology:
>
> Cable Modem       -----     Router                 -----  Four Ports
> Motorola SB5100           Netgear RT-314
>
> Router Port 1       -----     CNet 8 port switch
>
> Router Port 2       -----     (Mumble) switch (in the basement)
>
> Router Port 3       -----     Brother MFC7820N Fax/Scanner/Printer
>
> Router Port 4       -----     Wife's XP machine.
>
> CNet ports 1, 2, 3 ----- unused
>
> CNet Port 4          -----     Ubuntu machine
>
> CNet Port 5          -----     Thinkpad 600e (Windows 98SE)
>
> CNet Port 6          -----     unused
>
> CNet Port 7          -----     Acer Aspire Laptop (XP)
>
> CNet Port 8          -----     Router
>
> Basement switch -----     Thinkpad 390x (Windows 98SE)
>                                         While there are other cables
> connected to this switch,
>                                         there currently are no other
> computers connected.
>
> --
> Regards,
>
> Dick Steffens
> www.dicksteffens.com

If you were interested in running iptables, you could easily log all
packets on a specific port.  If you are interested in going this route, I
can give you my firewall.sh script.  You need kernel support for
netfilter.

Carlos