Using tcpdump, how do I see as plainly as possible an unencrypted SMTP conversation?

StackOverflow https://stackoverflow.com/questions/1704229

  •  19-09-2019
  •  | 
  •  

Question

I'm trying to debug an application and it isn't a place that's convenient to run WireShark.

I've been using "tcpdump -nn -x -X port 25" but the output isn't really in the most convenient format. Thoughts?

Was it helpful?

Solution

You can always have tcpdump write out to a file using "-w dump.txt -s 0" as extra arguments, and then load the output file into WireShark locally.

OTHER TIPS

tcpdump -A (instead of -X) will print packet contents in ASCII.

I'd think the easiest thing to do would be to point the application at a SMTP proxy which just passes everything through to the real server and logs it in the meantime (could probably hack something together with socat in a few minutes), but going with your current approach...

  • Use TShark to generate a capture file, and load that file into WireShark somewhere more convenient.
  • Or use tcptrace on the tcpdump or TShark output.
  • Or use tcpflow.

A utility known as ngrep exists which might help you. It has all the power of regular grep, but it works on pcap data. Check it out here

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top