Ethereal-users: Re: [Ethereal-users] SMTP; filtering out message body; capture vs. read filters
Rhythmic One <rhythmic1@xxxxxxxxx> said:
> Thanks for your reply Guy. Here is a 'backtrace' as requested...
> unfortunately, there wasn't any README distributed with this particular
> version of ethereal so I hope what I've pasted below is helpful.
Unfortunately, the Tethereal binary appears to have had its symbols stripped,
so you can't get a useful stack trace.
> I'd love
> to know why tethereal is dumping core regularly.
Because it has a bug in it, probably.
> root@ns:/pkg > pkg_info -L ethereal-0.8.14.tgz
Wow, that's a *really* old version of Ethereal/Tethereal.
We've fixed a number of bugs since then; some of them might be the bug or bugs
causing your crash.
If you can get a later package, do so; otherwise, download the source and
compile it. (You don't have to be a developer to compile it; you just
download the source tarball, run "./configure", run "make", and run "make
install".)
> Program terminated with signal 6, Abort trap.
That was probably because Tethereal discovered some internal inconsistency or
other incorrect internal situation, and aborted.
> Also, I understand the buffer situation and why grep isn't outputting each
> line in real time to the file as I was hoping for. Upon thinking about this
> some more, it seems that sed might be a better tool for the job.
I suspect sed won't output each line to the file as it processes it either, as
it's probably using the same "standard I/O library" routines that Tethereal
and grep use.
> I did think about constructing a capture filter based on the tcpdump docs
> showing some examples for creating them, and it occurred to me I would have
> at least have to calculate the number of header bytes for protocols IP, TCP,
> and SMTP. I imagine the location of the SMTP bytes would be the same for
> all SMTP packets (at least the headers),
No. Unfortunately, IP and TCP headers can be variable length, so there is no
guarantee that the TCP payload - i.e., the SMTP stuff, if the packet is an
SMTP packet - starts at the same offset in every packet.
> and I'm not even sure if the
> 'Message Body' stuff is in the header or not. It seemed really messy and
> then I still wasn't sure how to filter on a string (eg. 'Message Body').
There is no string "Message Body" in SMTP packets, unless some message header,
or the message body itself, happens to contain that string because somebody
put it there (for example, it's in the message body of this message, as well
as in the message you sent).
You also can't just filter on a string; the "pseudo-machine" that implements
libpcap capture filters (as used by tcpdump, Ethereal/Tethereal, etc.) only do
1-byte, 2-byte, or 4-byte comparisons *and* can't do loops. Constructing a
filter expression to do a string comparison would be extremely painful.
And, in addition, you really can't tell for certain whether an SMTP packet
contains commands or a message body without maintaining some state as you
process the packets, and capture filters can't maintain any state between
packets.