I'm working on a problem between two MTAs. I've got tcpdump logging all port 25 packets between the two machines, but the problem only happens once in a while and the vast bulk of the traffic is not of interest.
Specifically, once in a while the MTAs get confused about the state of the SMTP connection -- one issues HELO and the other says "No, you can't say "DATA" at this point. So, first what I'd like is to capture ALL packets in a given STMP session (well ones with a payload -- flags AP in snort) ONLY when the session is initiated by one of the MTAs. Second, what would be really great, is if then only those sessions are logged where the receiving MTA generates a 500 error in the payload. Basically, I want to see just the SMTP transaction from start to finish and see if there's anything odd (like why the receiving MTA things the sending MTA sent "DATA"). Any suggestions? -- Bill Moseley [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
