Wireshark · Ethereal-users: Re: [Ethereal-users] tcpdump lines to use when capturing

Ethereal-users: Re: [Ethereal-users] tcpdump lines to use when capturing

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Fri, 09 May 2003 06:32:58 -0400

To capture SMTP traffic without pulling in *most of the message data:

port 25 and (tcp[12] & 0xf0>0x50 or tcp[13] & 0x07 != 0 or tcp[20:4] =0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4]= 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 ortcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] =0x51554954 or tcp [20:4] = 0x5455524E or tcp[20:4] = 0x32323120 ortcp[20:4] = 0x32323420 or tcp[20:4] = 0x32353020 or tcp[20:4] = 0x32353120or tcp[20:4] = 0x33353420 or tcp[20:4] = 0x34323120 or tcp[20:4] =0x34353020 or tcp[20:4] = 0x34353120 or tcp[20:4] = 0x34353220 or tcp[20:4]= 0x35303020 or tcp[20:4] = 0x35303120 or tcp[20:4] = 0x35303220 ortcp[20:4] = 0x35303320 or tcp[20:4] = 0x35303420 or tcp[20:4] = 0x35353020or tcp[20:4] = 0x35353120 or tcp[20:4] = 0x35353220 or tcp[20:4] =0x35353320 or tcp[20:4] = 0x35353420)

*This filter captures SMTP commands and response codes, connectioninitiation and teardown as well as tcp segments with options.

It is a generally suitable filter for use where the sender/receipient'sprivacy (message body) should be respected and to minimize the amount ofdata captured.


Hope this helps,
Mike

References:
- [Ethereal-users] tcpdump lines to use when capturing
  - From: cplusplus

Prev by Date: RE: [Ethereal-users] Problem with Linux crashing
Next by Date: [Ethereal-users] H323 RAS traffic
Previous by thread: Re: [Ethereal-users] tcpdump lines to use when capturing
Next by thread: [Ethereal-users] MAPI decode / GLIB Error
Index(es):
- Date
- Thread