Ethereal

RE: [Ethereal-users] smtp Display filter.
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: May 2004

 

|-----Original Message-----
|From: Bryan.Cromwell@xxxxxxxxxxxxx
|
|
|Good Day All,
|
|Can someone possibly help me. I am trying to come up with a 
|display filter, but have been unsuccessful.
|
|I am trying to filter on the Message section of a smtp packet.
|Here is what I see
|
|Frame
|Ethernet
|IP
|TCP
|SMTP ----\/
|      Message: Received: from machine.hostname.com
|
|I am trying to wrote a couple of different filters for 
|"Recieved: from" but it don't return the correct results.
|
|I have tried tcp[42:1]=52  trying to find the "R" that didn't work
|smtp contains "Recieved:" didn't work
|
|Any Idea's??

First, it is "Received" not "Recieved" :)
                 ^^             ^^

The "contains" operation is case insensitive. You can use the "matches"
operator for more complex pattern matches, including case sensitive matches.
The following may help:

	smtp matches "(?i)received[:] from machine.hostname.com"

The format of Perl-Compatible regular expressions as used in the "matches"
display filter operation, is described at http://www.pcre.org/.

You also may want to check whether TCP reassembly is enabled (go to Edit->
Preferences, open the "Protocols" tree, go to TCP). The same is true for the
SMPP dissector (go to SMPP and tick the reassembly option if it was not
ticked).

Regards,

Olivier

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.