Topic: Newbie Question - Monitoring Port Traffic

[jtozer]

I am very new to SME Server. I am using 6.0.1 - I setup a server in October to act as a firewall and dhcp server with no problems so I haven't really spent much time yet learning the ins and outs of the system.  Here's the problem:
My ISP has informed me that I have a computer behind my firewall that has the Worm.SomeFool.Gen-1 virus I believe it's more commonly known as Netsky.  Since I have a firewall, they are unable to pinpoint which computer it is.  They told me to monitor traffic on port 25 during the evening hours, when no one is in the building and I should be able to pinpoint which computer has the virus.  I do not have a clue how to do this with SME Server.  I have checked the log files but I really do not know what I am looking for.  Is there anyone out there that could help me with this problem of monitoring traffic on port 25.  Thanks

[jfarschman]

Yep!

  That's the way to find it.  Are you good with the command line?  You'll need to telnet or SSH, or maybe hook up a monitor the the SME and work from there.  My person favorite tool for windows is PUTTY.EXE which allows you to expand the screen and see a lot more information.  You will need the space.

netstat -tupan

This is going to display several columns.  The two you care about are Local Address (your evil/infected machine) and Foreign Address (the folks your evil child is attacking).  To narrow things down a little, try:

netstat -tupan |grep :25

This will get you all the connection on port 25.  Of course, make sure no one turns off their PCs at night... or you may not see the problem.

Hope this helps.