On Wed, Jun 15, 2011 at 10:38:44AM -0400, Wietse Venema wrote:
> Command:
> # tcpdump -s 0 -w /file/name host server-ip-address and port 25
>
> After some time, "kill -INT" the tcpdump process.
>
> Look in the logfile for a session that breaks, and find that session
> in the tcpdump recording.
>
> # tcpdump -nr /file/name | less
>
> Note the client tcp port, then extract that session:
>
> # tcpdump -nr /file/name -w file/name2 port xxx
The second tcpdump may also need the "-s 0" option to retain the
full TCP payload.
--
Viktor.
