Ethereal-users: Re: [Ethereal-users] display filter for pop3?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 06 Mar 2006 03:45:51 -0800
Agryppa wrote:


I get it now. This is how I proceded:

Display filter: pop contains USER or pop contains RETR

Such display filter gives me every polling POP transmission and also
those with RETR command. How could one exclude those transmissions that did not have RETR command in them? 

What do you mean by a "transmission"?

If you mean a POP *session*, then see my previous reply:
It will not, for example, find a POP *conversation* that contains both a USER command and a RETR command ("USER" is a command, not a field), unless the USER and RETR command are in the *same TCP segment*. There is nothing in Ethereal's display filter mechanism to 
handle matching  conversations rather than individual packets.
Filtering works on *individual packets*, not on *sessions*. In the case of POP, an individual packet would be an individual TCP segment. It is, I think, unlikely that a single TCP segment would contain a USER command *and* a RETR command, so a filter such as 

	pop contains USER and pop contains RETR
probably will find nothing - it won't find a POP session with a USER command in one TCP segment and a RETR command in another TCP segment, because it's not searching for a POP session with a USER command in one TCP segment in the session and a RETR command in the same or some other TCP segment in the session, it's searching for a POP session iwth a USER command and a RETR command in the *same* TCP segment (by design).
If by a "transmission" you mean a single TCP segment, the way to exclude TCP segments not containing RETR is to include only TCP segments containing RETR: 

	pop contains RETR
That will, of course, not include TCP segments containing USER but not containing RETR, but if by "transmission" you mean "single TCP segment", then by "exclude those transmissions that did not have RETR command in them" you must mean "exclude TCP segments that did not have RETR command in them", and thus TCP segments containing USER but not containing RETR should be excluded.
Perhaps I should rather look for solution in the capture filter, instead? Currently "tcp port pop3 or tcp port smtp"
Capture filters can't look for strings at arbitrary positions in a packet. You could try matching for strings in *particular* positions; there is, I think, a tutorial somewhere on the Web giving examples of how to do that, but I don't remember where they are.
However, capture filters work on individual packets, too, so you can't filter out conversations that don't contain both a USER and a RETR command with a capture filter, any more than you can do so with a display filter.