tags:

views:

225

answers:

4

I'm trying to debug an application and it isn't a place that's convenient to run WireShark.

I've been using "tcpdump -nn -x -X port 25" but the output isn't really in the most convenient format. Thoughts?

A: 

I'd think the easiest thing to do would be to point the application at a SMTP proxy which just passes everything through to the real server and logs it in the meantime (could probably hack something together with socat in a few minutes), but going with your current approach...

  • Use TShark to generate a capture file, and load that file into WireShark somewhere more convenient.
  • Or use tcptrace on the tcpdump or TShark output.
  • Or use tcpflow.
ephemient
+4  A: 

You can always have tcpdump write out to a file using "-w dump.txt -s 0" as extra arguments, and then load the output file into WireShark locally.

Pete
+1 this is very effective; I do it all the time when I can't run Wireshark on the target system.
Jim Garrison
Right, I'd forgotten that WireShark/TShark can operate with the same pcap format that tcpdump does...
ephemient
A: 

A utility known as ngrep exists which might help you. It has all the power of regular grep, but it works on pcap data. Check it out here

James
A: 

tcpdump -A (instead of -X) will print packet contents in ASCII.

benzado