Agryppa wrote:
Well, my intention is mimick what I achieved in smtp traffic:
"smtp contains FROM or smtp contains RCPT"
"smtp contains FROM or smtp contains RCPT" is looking for those TCP
segments containing either the "MAIL FROM" or "RCPT TO" portions of an
SMTP transaction. I.e., it's looking for TCP segments that either
specify the sender of the message, or the recipient, on the machine
being connected to, of the message.
This way I can see from what address to what address the mail is sent and I
can use Follow TCP Stream to monitor the entire conversation.
Can that be done for POP?
There really isn't a direct equivalent to that in POP. USER specifies
the account for which the mail is being retrieved, but that's not
necessarily the address to which the mail was sent - mail messages sent
to "ethereal-users@xxxxxxxxxxxx" end up in my mailbox, but looking for a
"USER" command with "ethereal-users@xxxxxxxxxxxx" in a capture of a POP
session with my ISP won't find that address in a USER command.
Furthermore, there's no POP command that would contain the address from
which the mail was sent. The RETR command would only contain the
message number of the message being retrieved; you'd need to see the
*reply* to a RETR command, which probably doesn't contain the string
"RETR" (or perhaps a reply to a TOP command).
You might instead want to try
pop contains "To:" or pop contains "From:" or pop contains "Cc:"
and look for the *bodies* of the messages in POP *replies*. (Of course,
there's no guarantee that the string in question isn't split across TCP
segment boundaries; the POP dissector doesn't do any reassembly of
message bodies.)
