fw monitor help

[rn4it]

I need to confirm that our email is being encypted betwee us and a business partner. So in my captures I need to be able to view the message body of the emails. Here are the cmds I'm usings.

fw monitor -e "accept (dst = mailsvr ip or src = mailsvr ip);" -o smtp.txt
fw monitor -e "accept (dport = 25);" -o smtp.txt

I'm seeing the session build and tear down but not the data.

any ideas??

thanks
John

[Yasushi Kono]

Hello John,

you have to specify which portion of the packets to be included in your output file. So, for instance, by

fw monitor -x 40,400

which is the same as

fw monitor -l 400 -x 40

This expression means: the next 400 Bytes after leaving out the first 40 ones. I tried it with FTP without VPN or any encryption and you could read the payload of an ASCII document on the command line of the firewall.

I hope I could help you.

Kind regards,
Yasushi

[rn4it]

Thanks, but I also need to filter on the IP are both these able to work I just tried the following:

fw monitor -x 40,400 -e "accept (dst = 209.47.42.184);" -o smtp.txt

didn't work as expected, it compled but I got the same results as before.

any ideas?
thanks
John

[melipla]

Needless to say, a "fw monitor -o all_traffic.cap" should capture everything to the point of where you'd see the data communication--if it wasn't encrypted you'd be able to extract the file attachment from the stream.

Is the traffic being NAT'ed anywhere? Or accelerated in some way? Those are the only reasons I could think of as to why you're not seeing the complete stream.

[rn4it]

Thanks,
it's our smtp server so the public IP is being NAT'd to a private address. We have a E10 which during business hours hits appx 70% utilization, so I don't want to capture all traffic. Should I add the private address into the fw monitor filter?

thanks
JT