Results 1 to 5 of 5
Hi,
I am trying to capture specific packets on a Mail Server based on the response code sent by the recieving Mail Server.
I am using this command:
tcpdump -i ...
- 04-09-2009 #1Just Joined!
- Join Date
- Apr 2009
- Posts
- 3
tcpdump and smtp
Hi,
I am trying to capture specific packets on a Mail Server based on the response code sent by the recieving Mail Server.
I am using this command:
tcpdump -i vlan21 port 25 and tcp[42:4] = 0x35353420
Basically, this is looking for any 554 responses from the mail server.
From what I can tell, I am trying to filter within the data portion of the packet, but I am not sure if that is possible. Any help is appreciated.
thanks
- 04-09-2009 #2Just Joined!
- Join Date
- Apr 2009
- Posts
- 9
Yes, it's ok to check tcp payload value.
- 04-09-2009 #3Just Joined!
- Join Date
- Apr 2009
- Posts
- 3
Thanks for the response.
do you have any ideas on why it is not working. I have verfied the location of the response code and the actual code and it seems like it should be capturing packets, but after I let it run for awhile, it says 0 packets captured...
thanks
- 04-09-2009 #4Just Joined!
- Join Date
- Apr 2009
- Posts
- 9
I captured a small smtp transaction and noticed the location of the result code from beginning of TCP header is 32 (hex 20), so looks like the index was wrong in the filter. It is also 0x42 from the beginning of the packet, could that be where the confusion come from? I captured traces and use tcpdump -r to debug my filter, should be able to do that in wireshark as well.
- 04-09-2009 #5Just Joined!
- Join Date
- Apr 2009
- Posts
- 3
That was it! Thanks for the help. It didn't occur to me to point the filter based on the TCP header location.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
