Using tcpdump, how do I see as plainly as possible an unencrypted SMTP conversation?

views:

225

answers:

Using tcpdump, how do I see as plainly as possible an unencrypted SMTP conversation?

I'm trying to debug an application and it isn't a place that's convenient to run WireShark.

I've been using "tcpdump -nn -x -X port 25" but the output isn't really in the most convenient format. Thoughts?

I'd think the easiest thing to do would be to point the application at a SMTP proxy which just passes everything through to the real server and logs it in the meantime (could probably hack something together with socat in a few minutes), but going with your current approach...

Use TShark to generate a capture file, and load that file into WireShark somewhere more convenient.
Or use tcptrace on the tcpdump or TShark output.
Or use tcpflow.

ephemient 2009-11-09 22:20:47

+4 A:

You can always have tcpdump write out to a file using "-w dump.txt -s 0" as extra arguments, and then load the output file into WireShark locally.

Pete 2009-11-09 22:25:08

+1 this is very effective; I do it all the time when I can't run Wireshark on the target system.

Jim Garrison 2009-11-09 22:26:28

Right, I'd forgotten that WireShark/TShark can operate with the same pcap format that tcpdump does...

ephemient 2009-11-09 22:27:11

A utility known as ngrep exists which might help you. It has all the power of regular grep, but it works on pcap data. Check it out here

James 2009-11-10 05:59:59

tcpdump -A (instead of -X) will print packet contents in ASCII.

benzado 2009-11-15 18:10:21

ansaurus

tags:

views:

answers:

Using tcpdump, how do I see as plainly as possible an unencrypted SMTP conversation?

related questions