Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-02-01 13:43:46 +0000

SYN-bit gravatar image

You can split the filter into the two elements, command and parameter. That way you can see all "EHLO" command lines that do not use the parameter "Monitoring\x0d\x0a" by using the following filter:

smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a"

If you want the full TCP sessions of these packets, you can use something like this in a bash shell:

tshark -r in.pcap -w out.pcap -Y "tcp.stream in {$(tshark -r in.pcap -Y 'smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a" ' -T fields -e tcp.stream | xargs)}"

Drilled down:

  • tshark -r in.pcap -Y <filter> -T fields -e tcp.stream will print all the tcp.stream numbers of the packets that match the filter
  • the | xargs will create a list of these stream numbers, separated by spaces
  • and tshark -r in.pcap -w out.pcap -Y "tcp.stream in {$(<command>)}" takes the list of stream numbers and uses it as a filter to create a new file with the full TCP sessions
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2