view smtp traffic

Answered Question
Aug 24th, 2007

hie

i need to view smtp traffic that is passing through my cisco router that connects to the internet.

the problem is that i don know which command to use to view the smtp traffic or any additional config that has to be done.

could you please assist

thank you

I have this problem too.
0 votes
Correct Answer by anandramapathy about 9 years 4 months ago

Another option is enable ip cache flow on the interface wher you want to monitor.

show ip cache flow.

You will then be able to see teh TCP flows including SMTP

by the command show ip cache flow

Correct Answer by Edison Ortiz about 9 years 4 months ago

I suggest you enable

ip nbar protocol-discovery on the egress interface

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/qos_i1h.htm#wp1096745

An access-list with the log option would also do the job but the drawback with this solution is that packet will be process switched (causing some CPU utilization) instead of fast switched.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
rais Fri, 08/24/2007 - 08:20

You can configure an access-list with a log option on your outgoing/incoming interface. Depending upon you platform Netflow is another option.

Thanks.

avmabe Fri, 08/24/2007 - 08:32

Are you trying to see how much SMTP traffic is going through your router or be able to actually READ the SMTP email being sent?

The only way to actually read the emails is to capture the full packet (span the port or in-line sniffer).

akobwaycct Sat, 08/25/2007 - 08:13

i just want to see if smtp traffic is goin in or out of my router not to read the mail being sent.

Correct Answer
anandramapathy Mon, 08/27/2007 - 00:46

Another option is enable ip cache flow on the interface wher you want to monitor.

show ip cache flow.

You will then be able to see teh TCP flows including SMTP

by the command show ip cache flow

rajatsetia Mon, 08/27/2007 - 01:15

Hi

In case you are looking for a specific info regarding smtp traffic at some particualr time frame then you can check it on the router as suggested by ananramapathy.

enable ip cache on the interface by " ip route-cache flow" and then capture the traffic by "show ip cache flow | include 'concerned parameter' "

Now this 'concerned parameter' can be source ip destination ip or if you want to see whole smtp traffic then it has to be captured by port number in "hexadecimal" so it will be like this

"show ip cache flow | i 19"

SMTP port number :- 25 , 19 in HEX

but this will also include other results which have "19" even in the IP Address :) so lots of manual filtering work (check for "19" under DstP column)

better go for netflow monitor and divert the netflow traffic to external monitor and do the analyses.

HTH

rgds

Actions

This Discussion