Using Network Monitor to Head Off an AUTH Attack
One practical use for Network Monitor is to obtain detailed information about the packets traveling to and from your server when you suspect the server is under attack. For example, you might be familiar with the type of attack by which a spammer bombards an Exchange server with SMTP AUTH commands until the spammer successfully logs on to the server. By default, Microsoft Exchange Server 2003 and Microsoft Exchange 2000 Server let a mail server relay messages if the sender can authenticate with a valid username and password. A spammer obtains a valid user ID and password by performing a brute-force attack against your mail server or launching some type of attack against your network. You can turn on Exchange's Diagnostics Logging and set the maximum value for MSExchangeTransport Categories, which will show you the user ID that was used to authenticate to the server. However, the Microsoft Management Console (MMC) Event Viewer snap-in doesn't usually display the spammer's IP address. You can obtain the address by performing a packet trap, as follows:

1. Install Network Monitor on the Exchange server and begin a packet capture. (Of course, you must wait until the spammer authenticates to your server to obtain the spammer's IP address.) You might want to increase the capture-buffer size to make sure you don't lose any captured packet information. After the spammer authenticates to the server, you can stop the packet capture.
2. Set a filter to TCPDestination Port 25, as Figure 5 shows. To do so, select Display, Filter and highlight the line Protocol

   Any in the Display Filter window. Click the Edit Expression button, then click the Property tab. Scroll down in the Protocol Property window and double-click +TCP, then click Destination Port. Click

   in the Relation window, select Decimal (below the Value window), enter a value of 25 (SMTP), and click OK.
3. Find the Auth Login command. Examine the data in each SMTP packet until you reach a packet that contains Auth Login. In the top window, the Src Other Addr column displays the spammer's IP address. Although the IP address might be spoofed, you can at least block port 25 traffic that comes from this address to prevent the spammer from using it in the future. Better yet, disable Basic and Integrated Windows Authentication on any outfacing Exchange server to prevent users from authenticating to the mail server when sending mail.
4. Find the username. In case you're wondering, the next command string in the TCP data field should have the username and password that was used to authenticate to the server. However, these values are Base64 encoded, so you'll need to use a Base64 coder/decoder to decode them. Many Base64 coders/decoders are available on the Web—such as the one at http://www.dillfrog.com/tools/base-64_encode. (For practice, try using the Dillfrog decoder to decode the user ID c3BhbW1lcg

   and the password cmVsYXk= . The decoded answers appear at the end of the article.) Of course, as I mentioned earlier, you can also increase the level of diagnostic logging on the Exchange server to view the user ID that was used to authenticate to your server.

Armed for Network Troubleshooting
Network Monitor is a handy network troubleshooting tool, but it requires some training and skill to obtain the greatest benefit. Become familiar with Network Monitor and the traffic on your network before you have an emergency, so that you can establish some network baselines and not have to fight a learning curve under stressful conditions. Network Monitor and other third-party network sniffers require expertise to quickly find and resolve problems. Get up to speed now to make the most of Network Monitor's capabilities.

Answers to decoding examples:
c3BhbW1lcg spammer
cmVsYXk= relay