THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 1
SYN-bit's avatar
18.5k
SYN-bit
answered 2021-02-01 13:43:46 +0000

You can split the filter into the two elements, command and parameter. That way you can see all "EHLO" command lines that do not use the parameter "Monitoring\x0d\x0a" by using the following filter:

smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a"

If you want the full TCP sessions of these packets, you can use something like this in a bash shell:

tshark -r in.pcap -w out.pcap -Y "tcp.stream in {$(tshark -r in.pcap -Y 'smtp.req.command == "EHLO" and not smtp.req.parameter == "Monitoring\x0d\x0a" ' -T fields -e tcp.stream | xargs)}"

Drilled down:

  • tshark -r in.pcap -Y <filter> -T fields -e tcp.stream will print all the tcp.stream numbers of the packets that match the filter
  • the | xargs will create a list of these stream numbers, separated by spaces
  • and tshark -r in.pcap -w out.pcap -Y "tcp.stream in {$(<command>)}" takes the list of stream numbers and uses it as a filter to create a new file with the full TCP sessions