Ask Your Question
0

Capturing SMTP traces

asked 2018-08-10 17:39:25 +0000

Todd M gravatar image

I am trying to troubleshoot an error a customer is having when they configure their SMTP outgoing email server settings and capture the SMTP protocol traces.

The printer has its own IP address and I am able to capture TCP information and other protocols but not SMTP. I have configured the SMTP Server (example: smtp1.mycompany.com) on SMTP Port: 25. I am on a Comcast network (10.1.10.x).

Is there a filter I can apply to capture the SMTP tracing from the SMTP server?

I am currently using: ip.addr==15.23.2.x

network setup as follows: PC > Hub (not switch) > printer > Comcast LR5 tap (10.1.10.x)

I am a novice user. I tried attaching the trace capture, I guess I need 60 points to do that..

Thank you for any help you can provide.

edit retag flag offensive close merge delete

Comments

Who's emailing? The printer? Printer is a switch, between hub and this Comcast device? Is the SMTP connection through a TLS link? Have you tried using port 587 (smtp-submission)?

Jaap gravatar imageJaap ( 2018-08-10 19:56:36 +0000 )edit

Hi Jaap, Thank you for your reply. Sorry for the confusion.

I am trying to configure the SMTP out server settings on a HP PageWide Managed MFP P77740dw printer so that I can scan to email and send via printer. However, when I test my SMTP out settings to send an email, I get a Configuration Network error. Tells me to check the printers network connection and try again. This is where I am hoping that Wireshark can tell me (SMTP traces) why I am getting the network error. So my question what do I need to do to get SMTP traces?

Example: ip.addr--172.20.10.2

Both PC (Win10 Ent 64bit) and printer are connected to a Hub which Comcast ISP is connected to the uplink port. (No switch involved)

Printer: HP PageWide MFP P77740dw Hub: Lynksys 10/100 5-port Workgroup Hub Model FFAHO5W PC: Windows 10 Ent ...(more)

Todd M gravatar imageTodd M ( 2018-08-13 21:24:34 +0000 )edit

Ok, this all looks a bit better. Now the first step is to make sure that all devices use wired Ethernet, not their build in Wifi connectivity. Also make sure they all match the same speed (which I assume will be 100Mb) on the hub. Next you are throwing out all different kind of IP addresses. Maybe you need to stop focussing on that and start filtering on the TCP ports used, as you said 25 or 587. So 'tcp.port==25 or tcp.port==587'

Jaap gravatar imageJaap ( 2018-08-14 05:18:48 +0000 )edit

Hi Jaap, Yes. I am using wired as wireless is encrypted. Is there a way to detect if they are all running the same speed? The Linksys Hub is EtherFast 10/100. So, I am assuming that all ports are running 100Mb.

So filtering on the TCP port - tcp.port==25 or tcp.port==587 should reveal any SMTP packet traces?

Thanks again for your time and consideration.

Thanks, Todd

Todd M gravatar imageTodd M ( 2018-08-14 21:25:01 +0000 )edit

"Assumption is the the mother of all fuck-ups", so check the indications on the Linksys EFAHO5W that all links involved have their '100' LED illuminated. Now you can capture with promiscuous mode on the PC port connected to this hub and see the network traffic from the printer to the outside world. If you apply the display filter after that, the SMTP traffic (if any) should remain.

Jaap gravatar imageJaap ( 2018-08-15 04:46:28 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-08-11 17:58:26 +0000

Jim Aragon gravatar image

Is there a filter I can apply to capture the SMTP tracing from the SMTP server?

Your diagram is unclear. As Jaap mentioned, it implies that the printer has two interfaces and switches between the hub and the Comcast device. Are you sure that the PC and printer are really connected by a hub? True hubs are rare these days, and many devices labeled as hubs are actually switches. Also, some dual-speed hubs only act as hubs between the ports operating at the same speed (all the 10 mbps ports; all the 100 mbps ports), but switch between ports operating at different speeds. See here on the Wireshark FAQ page for a discussion.

Your filter is correct, assuming you're using the correct server address, so if you're not seeing any SMTP packets, it's because they aren't there. Either the printer isn't sending packets to that address, or you're capturing at the wrong place in the network, or the hub is really a switch so packets aren't being sent out the port that the PC is connected to. If that's the case, you could replace the "hub" with a true managed switch that does port forwarding and then forward the port where the printer is connected to the port that the PC is connected to.

edit flag offensive delete link more

Comments

Hi Jim, Thank you for taking time to answer my question. I apologize for the diagram. I tried uploading a pic but the system wouldn't let me. You are exactly correct when you say switches are labelled as hubs. I actually thought they were the same, but they are not. Yes they are hard to find. You need to pay close attention when purchasing. The Linksys is 10/100 auto.

Both PC (Win10 Ent 64bit) and printer are connected to a Hub (Linksys 10/100 5-port Workgroup Hub Model FFAHO5W) which Comcast ISP is connected to the uplink port. (No switch involved)

So what you are saying is that if I use the filter (ip.addr--172.20.10.2) this should show any SMTP packets?

Thanks again for your time and consideration.

Todd

Todd M gravatar imageTodd M ( 2018-08-13 21:32:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-08-10 17:39:25 +0000

Seen: 4,064 times

Last updated: Aug 11 '18