How to trace source, destination IP addresses and ports using tcpdump

Today I received alarms that there were too many ‘Relay access denied’ in my mail server. It is abnormal. It must be any clients/workstations infected by viruses and try to relay to my mail server.

The source public IP address detected coming from our office. This is the NAT Linux router. So I need to trace from which workstations inside LAN (Local Area Network) the viruses are coming from. After the workstations that are infected by viruses has been identified, we can easily drop the IP address of the workstation from sending email.

To trace which workstations are sending email abnormally, we can use ‘tcpdump’ tool.

Here are for example:

root@noc1:/home/fuad# tcpdump -ttt -vv -i eth1 dst host 203.153.xxx.xxx and port 25
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
000000 IP (tos 0x0, ttl 128, id 52798, offset 0, flags [DF], proto: TCP (6), length: 48) 172.16.17.123.informatik-lm > my.mailserver.com.smtp: S, cksum 0x364c (correct), 4271007468:4271007468(0) win 16384 
023320 IP (tos 0x0, ttl 128, id 52799, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.17.123.informatik-lm > my.mailserver.com.smtp: ., cksum 0x7733 (correct), 4271007469:4271007469(0) ack 2577223103 win 17520
027823 IP (tos 0x0, ttl 128, id 52800, offset 0, flags [DF], proto: TCP (6), length: 69) 172.16.17.123.informatik-lm > my.mailserver.com.smtp: P, cksum 0x09d4 (correct), 0:29(29) ack 37 win 17484
008090 IP (tos 0x0, ttl 128, id 52801, offset 0, flags [DF], proto: TCP (6), length: 75) 172.16.17.123.informatik-lm > my.mailserver.com.smtp: P, cksum 0xd3e4 (correct), 29:64(35) ack 210 win 17311
009715 IP (tos 0x0, ttl 128, id 52802, offset 0, flags [DF], proto: TCP (6), length: 70) 172.16.17.123.informatik-lm > my.mailserver.com.smtp: P, cksum 0x9685 (correct), 64:94(30) ack 224 win 17297
008070 IP (tos 0x0, ttl 128, id 52803, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.17.123.informatik-lm > my.mailserver.com.smtp: F, cksum 0x76d4 (correct), 94:94(0) ack 277 win 17244
004064 IP (tos 0x0, ttl 128, id 52805, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.17.123.informatik-lm > my.mailserver.com.smtp: ., cksum 0x76d3 (correct), 95:95(0) ack 278 win 17244
180196 IP (tos 0x0, ttl 128, id 52811, offset 0, flags [DF], proto: TCP (6), length: 48) 172.16.17.123.tpdu > my.mailserver.com.smtp: S, cksum 0x7913 (correct), 3424802451:3424802451(0) win 16384 
028414 IP (tos 0x0, ttl 128, id 52812, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.17.123.tpdu > my.mailserver.com.smtp: ., cksum 0xf5a8 (correct), 3424802452:3424802452(0) ack 2579829225 win 17520
019708 IP (tos 0x0, ttl 128, id 52814, offset 0, flags [DF], proto: TCP (6), length: 69) 172.16.17.123.tpdu > my.mailserver.com.smtp: P, cksum 0x8849 (correct), 0:29(29) ack 37 win 17484
016056 IP (tos 0x0, ttl 128, id 52816, offset 0, flags [DF], proto: TCP (6), length: 89) 172.16.17.123.tpdu > my.mailserver.com.smtp: P 29:78(49) ack 210 win 17311
020963 IP (tos 0x0, ttl 128, id 52817, offset 0, flags [DF], proto: TCP (6), length: 71) 172.16.17.123.tpdu > my.mailserver.com.smtp: P, cksum 0x8e0d (correct), 78:109(31) ack 224 win 17297
015305 IP (tos 0x0, ttl 128, id 52818, offset 0, flags [DF], proto: TCP (6), length: 40) 172.16.17.123.tpdu > my.mailserver.com.smtp: F, cksum 0xf53a (correct), 109:109(0) ack 278 win 17243

Tcpdump options in the example above:
-ttt : Print a delta (in micro-seconds) between current and previous line on each dump line.
-vv : Even more verbose output. For example, additional fields are printed from NFS reply packets, and SMB packets are fully decoded.
-i eth1 : It is the interface facing to LAN. Change it to meet your configuration.
203.153.xxx.xxx : It is the mail server IP address

From the result above, we can easily identify that the workstation that keep sending email is coming from IP address 172.16.17.123.
After it has been identified, we drop smtp connection coming from this IP address using iptables as below:

iptables -A FORWARD -s 172.16.17.123 -p tcp -m tcp --dport 25 -j DROP