Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

show tcp streams which don't include string

Hello!

On an e-mail relay I various requests from the same IP from which prtg (monitoring tool) also connects to check the health of the mail relay server. What I'm interested in is to find all tcp streams which do not contain the smtp.command_line string "EHLO Monitoring", so that I know if any clients actually connect to the mail relay to send emails. This works if I want to exclude the packages itself: smtp.command_line != "EHLO Monitoring\x0d\x0a" The issue with this, of course, is that all the other packages belonging to that tcp stream are also show. Mostly they contain the smtp "QUIT" command.

Actually, now, while writing this post, I realise that there aren't any other packages belonging to other streams, because the only packages that are being shown are those sending the "QUIT" command, so no hellos, which leads to me to believe, that no other clients connect to it.

In any case, I would still like to see if there's a possibility of excluding tcp stream altogether based on certain search criteria.

Thanks.

show tcp streams which don't include string

Hello!

On an e-mail relay I get various requests from the same IP from which prtg (monitoring tool) also connects to check the health of the mail relay server. What I'm interested in is to find all tcp streams which do not contain the smtp.command_line string "EHLO Monitoring", so that I know if any clients actually connect to the mail relay to send emails. This works if I want to exclude the packages itself: smtp.command_line != "EHLO Monitoring\x0d\x0a" The issue with this, of course, is that all the other packages belonging to that tcp stream are also show. Mostly they contain the smtp "QUIT" command.

Actually, now, while writing this post, I realise that there aren't any other packages belonging to other streams, because the only packages that are being shown are those sending the "QUIT" command, so no hellos, which leads to me to believe, that no other clients connect to it.

In any case, I would still like to see if there's a possibility of excluding tcp stream altogether based on certain search criteria.

Thanks.