mav425

Thanks for the responses. RandyL, I actually do not think that the problem is as serious as you think it is. After reading the wireshark FAQ that starams5 linked me I found the reason why I could only see the packets sourced from the server at not other computers on the network. I still believe that it's only 1 (or possibly a few) of our workgroup computers infected and not the server itself. I still haven't figured out how to get wireshark to receive data from all network computers though. I think that we might have to just hire someone to help us fix this problem, because I feel that I am over my head on this issue. And you are correct RandyL, this could very well be some serious business so it would probably be worth hiring someone to help us with this problem.

I am working on a Microsoft Exchange 2003 email server. Our mail server has a terrible spam problem, and I have a suspicion that one of our computers is infected by a spambot. What I'm trying to do is figure out which computer within our network is generating spam using the program "Wireshark". What I tried doing is filtering the packets to TCP only, and then filtering the results down to tcp.port == 25 (port 25 is the SMTP port). Unfortunately I don't think that I have the filters set up right. After filtering the data, the only "Source" ip from our network ip address was the mail exchange server itself. I'm thinking that either I set up the filters wrong, or that our mail server is the spambot (the latter seems unlikely). Could someone help me figure out how to correctly filter Wireshark so that I can see all network packets going to port 25? Either that or let me know a better way to detect our network spambot http://forums.meulie.net/images/smilies/icon_razz.gif Thanks a lot for the help!