Wireshark-users: Re: [Wireshark-users] Yum install centos 5.2

From: Mike Brandonisio <mbrando@xxxxxxxxxxxxxx>
Date: Sun, 11 Oct 2009 20:07:55 -0500
Hi Guy,

I was thinking about this again. While I'll be able to see what is going on with the IP address via SMTP I also need a time stamp in server time and if possible what executed the command that made the SMTP outbound connection.

Not that I think tshark should do all of the this. I'm wonder how to or what else to add to the mix to get good intel on what is getting me listed on CBL.
Sincerely,
Mike
-- 
Mike Brandonisio          *    Web Hosting / Development
Tech One Illustration     *    Internet Marketing
tel (630) 759-9283 x1001  *    e-Commerce
mbrando@xxxxxxxxxxxxxx    *    www.jikometrix.net

    JIKOmetrix - Reliable web hosting


Guy Harris wrote:
On Oct 11, 2009, at 3:07 PM, Mike Brandonisio wrote:

  
I'm seeing what looks like encoded traffic.

\027\003\001\000

Any thoughts on how it is encoded?
    
Is this on port 25?  If so, it *might* be SMTP-over-TLS:

	http://tools.ietf.org/html/rfc2487

although I think newer versions of Wireshark/TShark should recognize  
the STARTTLS command and dissect traffic following it as TLS.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

  
begin:vcard
fn:Mike Brandonisio
n:Brandonisio;Mike
org:Tech One Illustration
adr:;;231 S. Cranberry St.;Bolingbrok;Illinois;60490;US
email;internet:mbrando@xxxxxxxxxxxxxx
title:Principal
tel;work:630-759-9283 x1001
tel;fax:630-214-9877
x-mozilla-html:FALSE
url:http://www.jikometrix.net
version:2.1
end:vcard