On Fri, Jun 09, 2006 at 02:56:15PM -0600, David Peat wrote:
>
> I need to create a post-filter to look at SMTP traffic that has BOTH the
> sender and recipient with the same domain name.
This is not easily possible with ethe^H^H^H^Hwireshark. The display
filters work on single packets and not on tcp-sessions. Since the SMTP
protocol is a command-response protocol, the sender address (in the
MAIL FROM: command) is in one packet and the recipient address (in
the RCPT TO: command) is in another packet.
What you could use is MATE (see http://wiki.wireshark.org/Mate), with
mate you can define which packets relate to each other. You can then
add fields (like sender and recipient) and filter on them.
There is also LUA, a scripting language inside wireshark, but I have
not yet used that myself...
Of course you could also do some shell-scripting around tshark... :)
I hope this helps :)
Cheers, Sake
~