How do I find the application on my network that's dropping packets?
Just had a fundamental doubt. In my network, the firewall is being sent packets to the SMTP port. I have blocked the port and am logging the dropped packets. I can see a certain PC which has been sending the packets. On network monitoring, we did not find the source port on the rouge PC. How do I find the application / service which is trying to send the packet to the firewall? Where should we run the packet filter tool?
When you capture these packets if you are using a tool such as Wireshark look at the look offset 0x23 and 0x24. This is the source port in a TCP header. In the middle frame of a packet capture it would look like this:
Click Image to enlarge screenshot.
In this example the source port is 2346. Source ports are typically chosen at random. If you have access to the system sending the traffic you can run a tool like fport or run netstat -an from the command line.
This was first published in September 2009