[Snort-users] How can I view the packet payload if the packetis SMTP

Miller, Eoin Miller at ...6968...
Wed Dec 11 08:26:05 EST 2002

Actually its quite possible using ettercap
(http://ettercap.sourceforge.net) there is a plugin that comes with this
program by default called H20_dwarf and it logs all pop/smtp activity,
decoded, to a log file, its pretty sweet, plus it let you do it on a
switched network.


-----Original Message-----
From: Frank Knobbe [mailto:fknobbe at ...652...] 
Sent: Wednesday, December 11, 2002 10:41 AM
To: Atul Shrivastava
Cc: snort-users at lists.sourceforge.net; snort-devel at lists.sourceforge.net
Subject: Re: [Snort-users] How can I view the packet payload if the
packetis SMTP

On Wed, 2002-12-11 at 00:42, Atul Shrivastava wrote:
> I want to know that how can I view the captured packet payload if the
> packed is SMTP. Actually I have made a rule for Conternt Inspection
> for SMTP for some specific word, the sensor is also getting alerts but
> when I want to see the mail which it has captured then it shows a very
> hard to read mail. So I want a frontend which will act such that I can
> be able to read the packed payload according to the application in
> which the packet is made by the source station and I can also view the
> attachments if the Viewing station is having that required software to
> view that attachment. Can anyone help me in this regard.

This is a great idea. Why don't you write such a front end for us?
Please let us know when you release it.


PS: You weren't soliciting us to write one for you, were you?

More information about the Snort-users mailing list