How do I find the application on my network that's dropping packets?

How do I find the application on my network that's dropping packets?

Just had a fundamental doubt. In my network, the firewall is being sent packets to the SMTP port. I have blocked the port and am logging the dropped packets. I can see a certain PC which has been sending the packets. On network monitoring, we did not find the source port on the rouge PC. How do I find the application / service which is trying to send the packet to the firewall? Where should we run the packet filter tool?

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchNetworking.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchNetworking.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

When you capture these packets if you are using a tool such as Wireshark look at the look offset 0x23 and 0x24. This is the source port in a TCP header. In the middle frame of a packet capture it would look like this:


Click Image to enlarge screenshot.

In this example the source port is 2346. Source ports are typically chosen at random. If you have access to the system sending the traffic you can run a tool like fport or run netstat -an from the command line.

This was first published in September 2009