Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

You can split the filter into the two elements, command and parameter. That way you can see all "EHLO" command lines that do not use the parameter "Monitoring\x0d\x0a" by using the following filter:

smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a"

If you want the full TCP sessions of these packets, you can use something like this in a bash shell:

tshark -r in.pcap -w out.pcap -Y " in {$(tshark -r in.pcap -Y 'smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a" ' -T fields -e | xargs)}"

Drilled down:

  • tshark -r in.pcap -Y <filter> -T fields -e will print all the numbers of the packets that match the filter
  • the | xargs will create a list of these stream numbers, separated by spaces
  • and tshark -r in.pcap -w out.pcap -Y " in {$(<command>)}" takes the list of stream numbers and uses it as a filter to create a new file with the full TCP sessions