Problem solve Get help with specific problems with your technologies, process and projects.

How do I find the application on my network that's dropping packets?

Learn how to use Wireshark to trace dropped packets being sent from a PC on your network or an external application/service and secure SMTP ports, from our expert Michael Gregg.

Just had a fundamental doubt. In my network, the firewall is being sent packets to the SMTP port. I have blocked the port and am logging the dropped packets. I can see a certain PC which has been sending the packets. On network monitoring, we did not find the source port on the rouge PC. How do I find the application / service which is trying to send the packet to the firewall? Where should we run the packet filter tool?
When you capture these packets if you are using a tool such as Wireshark look at the look offset 0x23 and 0x24. This is the source port in a TCP header. In the middle frame of a packet capture it would look like this:

Middle frame of a packet capture
Click Image to enlarge screenshot.

In this example the source port is 2346. Source ports are typically chosen at random. If you have access to the system sending the traffic you can run a tool like fport or run netstat -an from the command line.

This was last published in September 2009

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.