-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you already know the MAC address(es), then you're going about this the wrong way. Login to your switch(es) and look in the CAM/MAC table. Find which port on the switch has learned the offending MAC and follow the cable to the computer.
If you don't already know the MAC address, ping the offending IP(s) from any computer on the local subnet and then look in it's ARP table. Then follow the above instructions. If the pings fail (because of a local firewall for example) then look in the ARP table of the default gateway. Also, unless you are sniffing on a SPAN port on the switch, you won't see traffic from other devices (like the spammer) on the network which aren't destined to your sniffer. If your switch doesn't support SPAN ports, either plan on upgrading to one that does or getting a network tap (such as sold by NetOptics). If you're really cheap, you could run ettercap to "sniff" on a switch, but I wouldn't run that in a production network with 300 servers. Good luck. - -- Aaron Turner <aturner at pobox.com|synfin.net> http://synfin.net/ They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin All emails are PGP signed; a lack of a signature indicates a forgery. On Thu, Mar 24, 2005 at 08:19:49AM +0100, Per Engelbrecht wrote: > Hi all > > I have a big problem finding a customer with tcpdump (dedicated > serverhosting / ~300 servers / switched network [mac-lockdown] / no > "central" firewall other than my BGP-router protecting itself) who's > spamming the world using a fake IP and a pseudo VMware mac-addr. in the > mail-header. > The spammer uses a few different mac-addr. plus a whole unused (old > "C-net size") IP range in a loop (script) and I expect him/her to > bridge(*) between the host-server (with valid IP/mac) and the N+ number > of local "virtual" installations with fake VMware mac-addr./IP i.e. the > host nic is probably running in promiscuous mode(*). > > IP src in mail-header is always RFC1918 or draft-manning.net net (I > don't route these net BGP-wise!) but that's only in the mailheader. > In short; > #0 - I can't find any src smtp traffic from the spammer on my net > #1 - I get a lot of dst (complaints, reply's and bounces) smtp traffic > to the spammer on my net > > How do I (with tcpdump) find the spammer ? > I've done this so fare; > > # tcpdump -e -n -i eth0 -XX -vvv -tttt -s 0 -w > /var/tmp/tcpdumps/spammer.lpc src 82.xxx.xxx.xxx not arp > > # tcpdump -e -n -i eth0 -XX -vvv -tttt -s 0 -w > /var/tmp/tcpdumps/spammer_smtp.lpc src 82.xxx.xxx.xxx port smtp and not arp > > The reply almost always has seebest.com.tw as number two smtp server > (our ip-range > seebest.com.tw > whomever > target) when reading the -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iD8DBQFCQuJyhweYF/hu2uYRAmYXAJ9s4pSdomR/d6E7TtjFVDljz/220gCeIVX7 LDhsQmxVAkSLCURDK8mncrk= =I9g3 -----END PGP SIGNATURE----- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
