tcpdump and smtp
I am trying to capture specific packets on a Mail Server based on the response code sent by the recieving Mail Server.
I am using this command:
tcpdump -i vlan21 port 25 and tcp[42:4] = 0x35353420
Basically, this is looking for any 554 responses from the mail server.
From what I can tell, I am trying to filter within the data portion of the packet, but I am not sure if that is possible. Any help is appreciated.
Yes, it's ok to check tcp payload value.
Thanks for the response.
do you have any ideas on why it is not working. I have verfied the location of the response code and the actual code and it seems like it should be capturing packets, but after I let it run for awhile, it says 0 packets captured...
I captured a small smtp transaction and noticed the location of the result code from beginning of TCP header is 32 (hex 20), so looks like the index was wrong in the filter. It is also 0x42 from the beginning of the packet, could that be where the confusion come from? I captured traces and use tcpdump -r to debug my filter, should be able to do that in wireshark as well.
That was it! Thanks for the help. It didn't occur to me to point the filter based on the TCP header location.