[herrold@oldnews herrold]$ host bo.epohi.com [ A ]
bo.epohi.com is an alias for mail.epohi.com.
mail.epohi.com has address 198.30.168.13
[herrold@oldnews herrold]$ mkdir bo.epohi.com-trace [ B ]
[herrold@oldnews herrold]$ cd bo.epohi.com-trace [ C ]
[herrold@oldnews bo.epohi.com-trace]$ sudo tcpflow host bo.epohi.com [ D ]
Password:
tcpflow[2233]: listening on eth0 [ E ] ^C
tcpflow[2233]: terminating
[herrold@oldnews bo.epohi.com-trace]$
Listing 1 - the monitoring console
|
[herrold@oldnews herrold]$ telnet bo.epohi.com 110 [ F ]
Trying 198.30.168.13...
Connected to bo.epohi.com.
Escape character is '^]'.
+OK POP3 bo.epohi.com v2001.78rh server ready
user herrold [ G ]
+OK User name accepted, password please
pass clear-text-password-removed [ H ]
+OK Mailbox open, 0 messages
list [ I ]
+OK Mailbox scan listing follows
.
quit [ J ]
+OK Sayonara
Connection closed by foreign host.
[herrold@oldnews herrold]$
Listing 2 -- the conversation from the client side
|
[herrold@oldnews herrold]$ cd bo.epohi.com-trace [ K ]
[herrold@oldnews bo.epohi.com-trace]$ ls [ L ]
010.001.002.099.32844-198.030.168.013.00110
198.030.168.013.00110-010.001.002.099.32844
[herrold@oldnews bo.epohi.com-trace]$ cat 010.001.002.099.32844-198.030.168.013.00110 [ M ]
user herrold
help
pass clear-text-password-removed
list
quit
[herrold@oldnews bo.epohi.com-trace]$
Listing 3 -- the conversation from the client side - as logged by tcpflow
|
[herrold@oldnews bo.epohi.com-trace]$ cat 198.030.168.013.00110-010.001.002.099.32844 [ N ]
+OK POP3 bo.epohi.com v2001.78rh server ready
+OK User name accepted, password please
+OK Mailbox open, 0 messages
+OK Mailbox scan listing follows
.
+OK Sayonara
[herrold@oldnews bo.epohi.com-trace]$
Listing 4 -- the conversation from the server side - as logged by tcpflow
|
Reference | Discussion |
A |
Look up the IP of the remote host, so we can determine the logfile
to examine later in the process |
B |
Make a debugging directory, bearing the name of the host
under test, to avoid leaving clutter in the home directory |
C |
Move into that directory |
D |
Using sudo and tcpflow, start the logging
process |
E |
Once we have authenticated to sudo, tcpflow
emits a status message noting that it is listening on a
particular interface, and goes to work
We end the process with a ctrl-C |
|
F |
In a second console, we simulate the dialog
which the POP protocol uses to communicate. Absent
some efficiency or cryptographic need, almost all
IEFP RFC protocols use plain old lower 128 character
seven-bit ASCII. This makes it possible to readily see
what is happening. Here, the remote server responds
with the +OK greeting |
G |
Having opened a connection on port 110, we greet the remote server
by offering a user value |
H |
The remote server responds
with the +OK, here indicating a valid user
name was (or may have been) offered, and awaiting a password.
We offer a correct password -- changed in our example
from the real one used. |
I |
The remote server responds
with the +OK, here indicating a valid user
authentication has occurred, and awaiting a command.
We ask it to enumerate any mail presently held by it, with the
list command. |
J |
Seeing that the server has shown it has no mail,
we end the session
with the quit command. The server says
goodbye and the connection is broken. |
|
K |
We can view the transaction by moving into the logging
directory we set up in step "B".
|
L |
Then we ls the directory. It shows transcripts of
conversations from port "110" on the local server
"010.001.002.099", toward port "32866" on the
remote server "198.030.168.013"; and a return conversation
from port "32844" on the remote server back to port "110"
on the local server.
|
M |
... and cat the file starting "010.001.002.099"
(which is the 'upstream' interface on the workstation the
test was conducted from), toward the remote POP server
on the POP port, 110. |
|
N |
And of course the reciprocal server site responses are
shown when we cat the file starting
"198.030.168.013".
|