On Wed, Jun 15, 2011 at 10:38:44AM -0400, Wietse Venema wrote: > Command: > # tcpdump -s 0 -w /file/name host server-ip-address and port 25 > > After some time, "kill -INT" the tcpdump process. > > Look in the logfile for a session that breaks, and find that session > in the tcpdump recording. > > # tcpdump -nr /file/name | less > > Note the client tcp port, then extract that session: > > # tcpdump -nr /file/name -w file/name2 port xxx
The second tcpdump may also need the "-s 0" option to retain the full TCP payload. -- Viktor.