On 15.11.2007 23:08, Martin R. Ehmsen wrote:
On 14/11/2007, at 14.21, Jason Fesler wrote:
Any hint on how to use tcpdump to only grab the interesting parts?
tcpdump port 143
or whatever.
My knowledge of tcpdump is very limited and I only seem to be able to get a lot of noise out of it.
Look at ngrep - it lets you use both tcpdump expressions, *and* further filter by regular expression. And, it shows ascii output instead of all the hex crap - makes it a lot easier to follow ascii based protocols.
Either way, you'll want to disable SSL on the client, so that you can see the traffic properly. :-)
I installed dovecot 1.0.7 on my leopard laptop, disabled SSL and started it on the loopback device. Then I connected to it from Mail.app using IMAP and the IDLE option in Mail.app, while running:
tcpdump -A -s 0 -i lo0 'tcp port imap and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > dump.txt
Here is what initially came out of the dump:
<cut a lot of stuff>
14:46:52.589999 IP localhost.50770 > localhost.imap: P 394:404(10) ack 1237 win 65535
E..>..@.@............R...V?2(k.......2..... ...5...57.2 IDLE 14:46:52.590346 IP localhost.imap > localhost.50770: P 1237:1247(10) ack 404 win 65535
E..> .@.@..............R(k...V?<.....2..... ...5...5+ idling 14:46:57.448879 IP localhost.imap > localhost.50777: P 355780982:355781003(21) ack 2104750877 win 65535
E..I..@.@..............Y.4.v}s.......=..... ...f...f* OK Dovecot ready. 14:46:57.459450 IP localhost.50777 > localhost.imap: P 1:17(16) ack 21 win 65535
E..D..@.@............Y..}s...4.......8..... ...f...f1.6 CAPABILITY 14:46:57.459654 IP localhost.imap > localhost.50777: P 21:187(166) ack 17 win 65535
E.....@.@..............Y.4..}s.-........... ...f...f* CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS AUTH=PLAIN 1.6 OK Capability completed. <and a lot of more stuff and finally it came to a halt>
14:46:57.542907 IP localhost.imap > localhost.50772: P 449:525(76) ack 209 win 65535
E...w.@.@..............T.E....o`.....t..... ...g...g* STATUS "Deleted Messages" (UIDNEXT 3 UNSEEN 0) 7.3 OK Status completed. 14:48:52.590857 IP localhost.imap > localhost.50770: P 1247:1264(17) ack 404 win 65535
E..EI.@.@..............R(k...V?<.....9..... .......5* OK Still here 14:50:52.590661 IP localhost.imap > localhost.50770: P 1264:1281(17) ack 404 win 65535
E..E..@.@..............R(k...V?<.....9..... ........* OK Still here 14:52:52.590964 IP localhost.imap > localhost.50770: P 1281:1298(17) ack 404 win 65535
E..E..@.@..............R(k...V?<.....9..... ........* OK Still here The above shows the only time IDLE is every used (except when Mail.app asks for the capabilities of the server). Somewhere after 14:46:57, but before 14:48:52, I copied (since I have no SMTP server running on my laptop) a new mail into the new directory of the maildir I subscribed to. But as you can see from the above, somehow dovecot failed to notice the new mail. I don't use (d/i)notify or kqueue, but I did set dovecot up to check every 30 sec, which it obviously didn't. Btw. the mail arrives fine if I manually check for new mail in Mail.app.
I can provide the full dump above if anybody thinks it is going to be useful? Martin
Mail client usually should open few connection to mail server if you have many dirs.