snooping port 25 packets

snooping port 25 packets

[Doug Yeager]

i would like to use netfilter to snoop SMTP packets on my firewall.
has anybody done this?  is it possible?
i was leaning in the direction of trying to use the QUEUE target for 
user space processing.....but i'm not sure if that is the way to go.
once i send the packet to the QUEUE target, how do i put it back on the 
wire?
what i really want is a copy of each packet to port 25 sent to a user 
space program.

thx,
doug

Re: snooping port 25 packets

[Frank Gruellich]

* Doug Yeager <doug@mortonfarms.com>  4. Oct 04:
> what i really want is a copy of each packet to port 25 sent to a user 
> space program.

# tcpdump -ni $if -w funny_mails.dat -s 2048 port smtp

HTH,
 regards, Frank.
-- 
Sigmentation fault

Re: snooping port 25 packets

[Jason Opperisano]

On Mon, 2004-10-04 at 18:07, Doug Yeager wrote:
> i would like to use netfilter to snoop SMTP packets on my firewall.
> has anybody done this?  is it possible?
> i was leaning in the direction of trying to use the QUEUE target for 
> user space processing.....but i'm not sure if that is the way to go.

the QUEUE target is the way to go if you need to do custom processing to
make the accept/drop decision; or if you want to modify & reinsert the
packet into the stream.

> once i send the packet to the QUEUE target, how do i put it back on the 
> wire?
> what i really want is a copy of each packet to port 25 sent to a user 
> space program.

if you just need to capture packets, you can use any bpf reader to do it
(tcpdump, snort, ethereal).

not 100% sure what you looking to do, but snort inline
(http://snort-inline.sourceforge.net/) may be of some use to you as
well.

-j

-- 
Jason Opperisano <opie@817west.com>