On Oct 19, 2008, at 2:55 AM, Ariel Burbaickij wrote:
Now, I want to get only SMTP traffic from my monitoring interface
that flows
inside GTP tunnel -- do you say that something like gtp&&smtp should
work
towards this end?
It will work to the extent that, if the traffic weren't tunneled
inside GTP, just "smtp" would have worked.
For example, if an SMTP request or reply is split over multiple TCP
segments, and reassembly is being done, I'm not sure it'd work in
either case, as all but the last TCP segment would probably be
dissected only as TCP, not as SMTP, and would not be matched by the
filter "smtp". That's not a tunneling issue, however.