I'm trying to help out a small company in Provo determine if one of
their systems is infected with some self-emailing worm. Several emails
have been "returned" as being a possible virus (they are). The from
email address is spoofed, but I'm trying to figure out if it is inside
or outside the network. I figured a fairly easy way to figure it out was
to filter the network traffic headed for the internet and look at all
the smtp traffic, either using ethereal or the ruby bindings to pcap.
Problem is, it's a switched network. The network is basically made up of
a couple Netgear FS116's -- 16 port switches and a basic Netgear home
gateway router (which is also based off a switch).
I read on tcpdump.org that some switches can be configured to replicate
network traffic to certain ports so that you can actually monitor the
network but I can't find any hint of these econimical devices being able
to do so.
I understand that I can place a hub between the main switch and the home
router which will then broadcast the network packets to me no problemo
-- but looking at some local stores, ebc computers, pc club, etc. they
don't carry hubs, just switches.
So my question for the UUG, who has a suggestion on a capable hub? Or a
switch that can be configured to also give me the goods? Would a Linksys
WRT54G with a replacement firmware have that functionality?
Thanks,
Devlin
--------------------
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibility of their
author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG.
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
