[SATLUG] Monitoring IMAP traffic

Daniel Givens daniel at rugmonster.org
Wed Sep 8 21:50:28 CDT 2010

On Sep 8, 2010, at 4:43 PM, Aaron Hackney wrote:

> On Wed, Sep 8, 2010 at 4:04 PM, David Salisbury
> <david.salisbury at momentumweb.com> wrote:
>>  No, in this case it's not a log file, just the raw data being looked at
>> with tcpdump.  And I'm not looking for message content, just the IMAP
>> commands that are coming across along with their source IP.  I mean, I could
>> DUMP it into a file, and do some advanced grepping and such, but that's
>> where it gets a little hairy.  Just wondering if something like that existed
>> already so I wouldn't have to end up reinventing the wheel!
>> David
> I'm not sure tcpdump has the layer 7 filtering you are wanting to do,
> but I'm sure I'll be corrected if I'm wrong. What about command line
> Wireshark with a capture filter? I believe you can peer into the
> payload and filter what you capture.

You could use tcpdump to create a capture file which you could later open with Wireshark.

tcpdump -n -w imap.cap -s 0 tcp port 143

This will, of course, get message data, but that's where ethics come in. Transfer imap.cap back to your local workstation and open it in Wireshark. You should see all of the requests and responses spelled out for you, plain as day.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
Url : http://www.satlug.org/pipermail/satlug/attachments/20100908/03d6d52e/PGP.bin

More information about the SATLUG mailing list