On 15.11.2007 23:08, Martin R. Ehmsen wrote:
On 14/11/2007, at 14.21, Jason Fesler wrote:
Any hint on how to use tcpdump to only grab the interesting parts?
tcpdump port 143
or whatever.
My knowledge of tcpdump is very limited and I only seem to be able
to get a lot of noise out of it.
Look at ngrep - it lets you use both tcpdump expressions, *and*
further filter by regular expression. And, it shows ascii output
instead of all the hex crap - makes it a lot easier to follow ascii
based protocols.
Either way, you'll want to disable SSL on the client, so that you can
see the traffic properly. :-)
I installed dovecot 1.0.7 on my leopard laptop, disabled SSL and
started it on the loopback device.
Then I connected to it from Mail.app using IMAP and the IDLE option in
Mail.app, while running:
tcpdump -A -s 0 -i lo0 'tcp port imap and (((ip[2:2] -
((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' > dump.txt
Here is what initially came out of the dump:
<cut a lot of stuff>
14:46:52.589999 IP localhost.50770 > localhost.imap: P 394:404(10) ack
1237 win 65535 <nop,nop,timestamp 497198901 497198901>
E..>[EMAIL PROTECTED]@............R...V?2(k.......2.....
...5...57.2 IDLE
14:46:52.590346 IP localhost.imap > localhost.50770: P 1237:1247(10)
ack 404 win 65535 <nop,nop,timestamp 497198901 497198901>
E..> [EMAIL PROTECTED]@..............R(k...V?<.....2.....
...5...5+ idling
14:46:57.448879 IP localhost.imap > localhost.50777: P
355780982:355781003(21) ack 2104750877 win 65535 <nop,nop,timestamp
497198950 497198950>
[EMAIL PROTECTED]@..............Y.4.v}s.......=.....
...f...f* OK Dovecot ready.
14:46:57.459450 IP localhost.50777 > localhost.imap: P 1:17(16) ack 21
win 65535 <nop,nop,timestamp 497198950 497198950>
[EMAIL PROTECTED]@............Y..}s...4.......8.....
...f...f1.6 CAPABILITY
14:46:57.459654 IP localhost.imap > localhost.50777: P 21:187(166) ack
17 win 65535 <nop,nop,timestamp 497198950 497198950>
[EMAIL PROTECTED]@..............Y.4..}s.-...........
...f...f* CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES
MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS
AUTH=PLAIN
1.6 OK Capability completed.
<and a lot of more stuff and finally it came to a halt>
14:46:57.542907 IP localhost.imap > localhost.50772: P 449:525(76) ack
209 win 65535 <nop,nop,timestamp 497198951 497198951>
[EMAIL PROTECTED]@..............T.E....o`.....t.....
...g...g* STATUS "Deleted Messages" (UIDNEXT 3 UNSEEN 0)
7.3 OK Status completed.
14:48:52.590857 IP localhost.imap > localhost.50770: P 1247:1264(17)
ack 404 win 65535 <nop,nop,timestamp 497200094 497198901>
[EMAIL PROTECTED]@..............R(k...V?<.....9.....
.......5* OK Still here
14:50:52.590661 IP localhost.imap > localhost.50770: P 1264:1281(17)
ack 404 win 65535 <nop,nop,timestamp 497201286 497200094>
[EMAIL PROTECTED]@..............R(k...V?<.....9.....
........* OK Still here
14:52:52.590964 IP localhost.imap > localhost.50770: P 1281:1298(17)
ack 404 win 65535 <nop,nop,timestamp 497202478 497201286>
[EMAIL PROTECTED]@..............R(k...V?<.....9.....
........* OK Still here
The above shows the only time IDLE is every used (except when Mail.app
asks for the capabilities of the server).
Somewhere after 14:46:57, but before 14:48:52, I copied (since I have
no SMTP server running on my laptop) a new mail into the new directory
of the maildir I subscribed to. But as you can see from the above,
somehow dovecot failed to notice the new mail.
I don't use (d/i)notify or kqueue, but I did set dovecot up to check
every 30 sec, which it obviously didn't.
Btw. the mail arrives fine if I manually check for new mail in Mail.app.
I can provide the full dump above if anybody thinks it is going to be
useful?
Martin
Mail client usually should open few connection to mail server if you
have many dirs.
