Ethereal-users: [Ethereal-users] SMTP; filtering out message body; capture vs. read filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "The Rythmic One" <rhythmic1@xxxxxxxxx>
Date: Sat, 6 Jul 2002 16:49:02 -0400
Hi folks,

I have been playing with tethereal on OpenBSD for some time now and am
having a specific problem I'm hoping someone can help me solve.  In order to
help track incoming Spam to my companies domain, I have tethereal sniffing
SMTP traffic so I can more easily review incoming (and outgoing) sessions
using standard Unix utils like grep, etc..  This is more efficient than
relying on the Windows-based Exchange logs which we are stuck with for the
time being.

Anyhow, there are two problems...

1)  I really don't care about the message bodies (and they can obviously
take up significant space), just the initial session info such as HELO or
EHLO, MAIL FROM, RCPT TO.  However, the only supplied read filters for SMTP
are smtp.req and smtp.rsp which are of type boolean.  This would suggest
there isn't a way to look inside the SMTP protocol and filter more finely.
Is this correct?  As a workaround I've tried piping output through grep
first before going to a file.  This has worked in some tests, but with weird
results.  For instance, no output occurs in the file until tethereal is
killed, and then only in SOME of my tests.  Here is an example:

    tethereal -l -n -t ad -s 110 -R ' smtp.req or smtp.rsp ' | grep -v 'SMTP
Message Body' > today &

The above worked (sort of) but not seemingly in real time and something is
going on with the buffering that I can't explain.  The man page suggests
the -l option is useful for piping tethereal output to another command but
doesn't say much more about how that works.  Why wouldn't the above filter
put output in file today as email traffic happened?

Conversely, the following works everytime, but with large and unneeded
DATA/Message Body lines:

    tethereal -l -n -t ad -s 110 -R ' smtp.req or smtp.rsp ' > today &

The unfortunate side effect being that:

2)  tethereal dumps core, presumably at times of heavy traffic.  I've read
that capture filters are more efficient than read filters, but the
ethereal/tcpdump documentation only discussed capture filters with regard to
core IP protocols such as IP, TCP, UDP, ICMP, ARP, etc.

Could a capture filter be used to accomplish what we need???  If so, how
would that work.  Also, could tethereal be dumping core for another reason?

Thanks in advance for any help!
- Dave