I’m quite sure that #tcpdump’s [!smtp] is not truncation because:
• -s (snaplen) is set to 0 which means 256 kB or larger
• I was seeing [!smtp] on lines less than 76 bytes long
• I was not seeing [!smtp] on other lines between 77 and 998 bytes long
It seems to me that #tcpdump’s SMTP dissector might not be as functional as hoped.
As in possibly nothing more than a stub for future code.
The print-smtp.c file seems to be skeleton.
Compared to print-http.c which includes HTTP verbs.
The former has a NULL in the function call where the latter has an array of verbs.
So [!smtp] may be a red herring.
Does anyone know what the following at the end of a line of output from #tcpdump means?
[!smtp]
When sniffing SMTP traffic.
The man page on the system says that the following in the same position indicates snap length truncation.
[|smtp]
But the first (unknown) is an exclamation point while the second (snap length) is a pipe character.
I’m having trouble finding a description of what [!smtp] means.
🙁
Examples for the tcpdump and dig man pages
https://jvns.ca/blog/2026/03/10/examples-for-the-tcpdump-and-dig-man-pages/
#HackerNews #tcpdump #dig #manpages #networking #examples #techblog
I had some fun with #tcpdump today.
tcpdump -pnni eth0 "host 192.0.2.1 or (ip[44:1] & 255 == 192 and ip[45:1] & 255 == 0 and ip[46:1] & 255 == 2 and ip[47:1] & 255 = 1)"
I was doing mtr traces and wanted to watch for packets associated to the host (192.0.2.1).
ICMP (usually) includes enough of the original packet that I could match on the destination IP in the incoming time to live exceeded packet from various routers along the way.
ip[44:1] – ip[47:1] are the four bytes in the incoming TTL exceeded packet matching the original destination IP I was interested in.
> 11:27:48.789315 ARP, Request who-has 192.168.205.166 tell 192.168.205.166, length 46
`tcpdump` is always fun.
DrScriptt
N-gated Hacker News
Hacker News
sahilister
Gea-Suan Lin