> On Sep 22, 2016, at 3:40 PM, Joseph Thibeault <[email protected]> wrote:
>
> Ah sorry. Pardon my inexperience. Do you have an example of how to ensure
> that it contains a single smtp session? When I record I just specify eth0
> which grabs everything.
1. Start the capture on the correct interface before (re-)sending the
problem email:
# iface=eth0 # or whatever
# pcap=$(mktemp -t smtp.pcap)
# tcpdump -s0 -i $iface -w $pcap tcp port 25 & pid=$!
2. Send problem message or flush the queue if still queued.
# postqueue -i <queue-id>
OR
... send a new message that reproduces the problem...
3. Check logs to make sure another delivery attempt took place.
4. Stop the capture:
# kill -INT $pid
5. Filter the capture for just the session in question:
# tcpdump -r $pcap 'tcp[13] & 0x12 == 2'
identify the desired destination host and local source
port
# tcpdump -r $pcap -w /tmp/smtp.$$.pcap tcp port $local_port and host
$remote_host
6. Post the filtered PCAP file after checking that it comtains an entire SMTP
session
from SYN -> SYN/ACK -> ACK TCP handshake to FIN/ACK -> FIN/ACK -> ACK
teardown.
--
Viktor.
