Ethereal-users: Re: [Ethereal-users] SMTP; filtering out message body; capture vs. read filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sun, 14 Jul 2002 01:30:35 -0700
On Sun, Jul 07, 2002 at 03:05:23PM -0700, Guy Harris wrote:
> On Sat, Jul 06, 2002 at 04:49:02PM -0400, The Rythmic One wrote:
> > 1)  I really don't care about the message bodies (and they can obviously
> > take up significant space), just the initial session info such as HELO or
> > EHLO, MAIL FROM, RCPT TO.  However, the only supplied read filters for SMTP
> > are smtp.req and smtp.rsp which are of type boolean.  This would suggest
> > there isn't a way to look inside the SMTP protocol and filter more finely.
> > Is this correct?
> 
> It's correct in that there's no way in the current Ethereal SMTP
> dissector to do that.  It might, however, be possible to put more
> filterable fields into the dissector.

I've added more filterable fields, and have also fixed the SMTP
dissector to put "smtp.req" into the tree only for packets that contain
request lines, and put "smtp.rsp" into the tree only for packets that
contain reply lines, and not put either into the tree for packets that
contain only a message body or EOM.

So, the next Ethereal release that comes out should let you use

	smtp.req or smtp.rsp

as a capture filter to avoid seeing the message body.

(You will, of course, have to upgrade from the hoary old 0.8.14 to do
that.)