Capturing An Smtp Conversation

Capturing an SMTP conversation is not unlike capturing an HTTP session. Begin with the basic TCPDump options that you'd like to use and then build an expression to grab the appropriate type of data, including protocol, port, and source or destination hosts. For example, here's a simple capture of port 25 traffic along with my normal TCPDump choice of options:

The TCP three-way handshake is again present, as you might expect:

2 0:40:08.638690 murphy.debian.org.45772 > test.example.com.smtp: \ S [tcp sum ok] 1485971964:1485971964(0) win 5840 <mss 1460, sack0K,timestamp 795074473 0,nop,ws cale 0> (DF) \

(ttl 57

, id

65109, len 60)

0x0000

4500 003c

fe55 4000 3906

deae

9252 8a06

E.

.<[email protected] R.

0x0010

4 55d 0302

b2cc 0019 5892

21fc

0000 0000

E]

X.!

0x0020

a0 02 16d0

8ffe 0000 0204

05b4

0402 080a

0x0030

2f63 dfa9

0000 0000 0103

0300

/c...

20:40:08

5.638769 te

st.example.com.

s mt p

> murphy.debian.

org.45772: S

[tcp sum ok] 2853594323:2853594323(0) ack 1485971965 win 5792 \

<mss 14 60,sack0K,timestamp 132 1286843 7 9 507 4 4 7 3,nop,wscale 0> \ (DF) (ttl 64, id 0, len 60)

0x0000

4500

003c

0000

4000

4006

d604

455d

0302

E..<[email protected]@...E].

0x0010

9252

8a06

0019

b2cc

aa16

64d3

5892

21fd

.R d.X.!

0x0020

a012

16a0

f5b6

0000

0204

05b4

0402

080a

2 0:40:08.640600 murphy.debian.org.45772 > test.example.com.smtp: . \ [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp \

795074473 1321286843> (DF) (ttl 57, id 65110, len 52) 0x0000 4500 0034 fe56 4000 3906 deb5 9252 8a06 [email protected] R..

0x0010 4 55d 0302 b2cc 0019 5892 21fd aa16 64d4 E] X.!...d.

0x0020 8010 16d0 244c 0000 0101 080a 2f63 dfa9 $L /c..

0x0030 4ec1 3cbb N.<.

There's nothing really new of interest during the three-way handshake process. Notice that the ASCII output isn't of much use during the three-way handshake though.

As with HTTP, after the initial TCP handshake is done, the SMTP conversation gets underway:

2 0:40:08.683352 test.example.com.smtp > murphy.debian.org.45772: P \ [tcp sum ok] 1:51(50) ack 1 win 5792 <nop,nop,timestamp \

1321286848 795074473> (DF) (ttl 64,id 22639, len 102) 0x0000 4500 0066 586f 4000 4006 7d6b 455d 0302 [email protected]@.}kE]..

0x0010 9252 8a0 6 0019 b2cc aa16 64d4 5892 21fd .R d.X.!.

0x0020 8018 16a0 bd07 0000 0101 080a 4ec1 3cc0 N.<.

0x0030 2f63 dfa9 3232 3020 6466 7730 2e69 6367 /c..220.test.exa

0x0040 6d65 6469 612e 636f 6d20 4553 4d54 5020 mple.com.ESMTP. 0x0050 50 6f 7374 6669 7820 2844 6562 6961 6e2f Postfix.(Debian/ 0x0060 47 4e 5529 0d0a GNU)..

2 0:40:08.684581 murphy.debian.org.45772 > test.example.com.smtp: . [tcp sum ok]

1:1(0) ack 51 win 5840 <nop,nop,timestamp 795074478 1321286848> (DF) (ttl 57, i d 65111, len 52)

0x0000 4500 0034 fe57 4000 3906 deb4 9252 8a06 [email protected] R..

0x0010 4 55d 0302 b2cc 0019 5892 21fd aa16 6506 E] X.!...e.

0x0020 8010 16d0 2410 0000 0101 080a 2f63 dfae $ /c..

0x0030 4ec1 3cc0 N.<.

2 0:40:08.685428 murphy.debian.org.45772 > test.example.com.smtp: P [tcp sum ok] 1:25(24) ack 51 win 5840 <nop,nop,timestamp 795074478 1321286848> (DF) (ttl 57, id 65112, len 76)

0x0000 4500 004c fe58 4000 3906 de9b 9252 8a06 [email protected] R..

0x0010 4 55d 0302 b2cc 0019 5892 21fd aa16 6506 E] X.!...e.

0x0020 8018 16d0 3cc4 0000 0101 080a 2f63 dfae < /c..

0x0030 4ec1 3cc0 4548 4c4f 206d 7572 7068 792e N.<.EHLO.murphy. 0x0040 6465 6269 616e 2e6f 7267 0d0a debian.org..

Was this article helpful?

0 0

Post a comment