#
# http://Linux-Sec.net/Sniffer/Howto/sniff.email.txt
#
#
# 13-Jun-10 amo Date-of-Birth Sniffing emails
#
#
# use wireshark to view the sniffed email packets
# -----------------------------------------------
#
#
# tcpdump options
# ===============
# -n : Don't resolve hostnames.
# -nn : Don't resolve hostnames or port names.
# 
# -q : Show less protocol information.
#
# -S : Print absolute sequence numbers.
#
# -X : Show the packet's contents in both hex and ASCII.
# -XX : Same as -X, but also shows the ethernet header.
#
#
#
# tcpdump -vvv -s 0 -c 100 -w smtp.pcap port 25
#
#	# use wireshark to view the sniffed packets
#	# -----------------------------------------
#	wireshark -r smtp.pcap
#
#	click on the "from: email-you-wanted-sniffed@domain.com" line
#
#
# # ---------------------------------------------------
# # sniffed response email from *.3.98
# # ---------------------------------------------------
# tcpdump -nnvvvS -s 0 -U -w smtp.pcap dst port 25
#
#
# # did NOT sniff any email content to or from *.3.98  	( tcp and smtp only )
# tcpdump -nnvvvS -s 0 -U -w smtp.pcap src port 25
#
#
# #
# # sniffed response email FROM *.3.98			note using "src *.98" or "dst *.6"
# # ----------------------------------
# tcpdump -nnvvvS -s 0 -U -w smtp.pcap src 207.228.3.98 and dst port 25
# tcpdump -nnvvvS -s 0 -U -w smtp.pcap dst 207.228.3.6  and dst port 25
#
# #
# # sniffed original incoming email TO *.3.98  		note using "dst *.98" or "src *.6"
# # -----------------------------------------
# tcpdump -nnvvvS -s 0 -U -w smtp.pcap dst 207.228.3.98 and dst port 25
# tcpdump -nnvvvS -s 0 -U -w smtp.pcap src 207.228.3.6  and dst port 25
#
#
# End of file