Post date: May 6, 2011 7:51:01 AM
This is a basic set of instructions that Joel Smith has shared with us outlining his method -
On your gateway:
tcpdump -n -p -i eth0 not port 80 and not port 443 and not port 22 (and any other ports you expect to see traffic on).
See if there is anything on port 25 going where you wouldn't expect. Or look for many sequential connections to random or sequential IP addresses typically with the same port or a range of ports. For example random ip addresses in the 192.168.X.X range with ports relating to Microsoft windows services, such as 137,139,445.
Then, once you have isolated what appears to be a lot of traffic, try the same command but substitute
tcpdump -n -p -i tun0 not port 80 and not port 443 and not port 22
(or tun1 etc) for the tunneled connections from your other meshboxes.
Once you have worked out which one has the traffic, ssh to that box and do
tcpdump -n -p -i wlan0 not port 80 and not port 443 and not port 22
to see which individual machine it is coming from.