Stateful packet capture with tcpdump or snort
I'm working on a problem between two MTAs. I've got tcpdump logging
all port 25 packets between the two machines, but the problem only
happens once in a while and the vast bulk of the traffic is not of
Specifically, once in a while the MTAs get confused about the state of
the SMTP connection -- one issues HELO and the other says "No, you
can't say "DATA" at this point.
So, first what I'd like is to capture ALL packets in a given STMP
session (well ones with a payload -- flags AP in snort) ONLY when the
session is initiated by one of the MTAs.
Second, what would be really great, is if then only those sessions are
logged where the receiving MTA generates a 500 error in the payload.
Basically, I want to see just the SMTP transaction from start to
finish and see if there's anything odd (like why the receiving MTA
things the sending MTA sent "DATA").