Wireshark-users: Re: [Wireshark-users] Yum install centos 5.2

From: Mike Brandonisio <mbrando@xxxxxxxxxxxxxx>
Date: Sun, 11 Oct 2009 19:04:47 -0500
Hi Guy,

I think this will work. I will run this for a while:

    tshark -f "port 25 and src host 74.xx.xx.xx" > 091010-smtp-traffic

and then just:
    grep "EHLO" 091010-smtp-traffic
    grep "HELO" 091010-smtp-traffic
That will work fine.

Thank you for your help on this.
Sincerely,
Mike
-- 
Mike Brandonisio          *    Web Hosting / Development
Tech One Illustration     *    Internet Marketing
tel (630) 759-9283 x1001  *    e-Commerce
mbrando@xxxxxxxxxxxxxx    *    www.jikometrix.net

    JIKOmetrix - Reliable web hosting


Guy Harris wrote:
On Oct 11, 2009, at 3:01 PM, Mike Brandonisio wrote:

  
This is the output I'm getting

 0.090293 74.xx.xx.xx -> 64.xx.xx.xx   SMTP C: EHLO host22.example.com

That is exactly what I'm looking for.

How can I can narrow the filter only those that contain 'SMTP'?
    
"Contain 'SMTP'" in what sense?  Port 25 traffic normally "contains  
SMTP" in the sense that the traffic going to or from TCP port 25 is  
almost always SMTP traffic (nothing absolutely *prevents* non-SMTP  
traffic to be sent on port 25, but it's not usually done.

Or do you mean "only those that contain 'HELO' or 'EHLO'"?  That's  
trickier, but it should be possible, even with a capture filter - you  
want TCP segments where the payload begins with "HELO" or "EHLO".

If there are no TCP options, then

	tcp[20:4] = 0x48454c4f or tcp[20:4] = 0x45484c4f

will match all segments beginning with HELO or EHLO, so

	tcp port 25 and src host 74.xx.xx.xx and (tcp[20:4] = 0x48454c4f or  
tcp[20:4] = 0x45484c4f)

should work as a capture filter.  If there are TCP options, it'd be a  
little more complicated, as "20" would have to be replaced by the  
length of the TCP header (it can be done, I'd just have to spend some  
more time figuring it out).

One of these days I may look at adding some libpcap syntax to do  
string matching and matching on TCP/UDP payload contents.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

  
begin:vcard
fn:Mike Brandonisio
n:Brandonisio;Mike
org:Tech One Illustration
adr:;;231 S. Cranberry St.;Bolingbrok;Illinois;60490;US
email;internet:mbrando@xxxxxxxxxxxxxx
title:Principal
tel;work:630-759-9283 x1001
tel;fax:630-214-9877
x-mozilla-html:FALSE
url:http://www.jikometrix.net
version:2.1
end:vcard