4

I'm troubleshooting a smtp issue involving character-set encoding and it's extremely difficult to involve the end user. I have a packet capture of an incoming smtp session that results in problematic behavior but if I try to copy/paste the mime source from wireshark, the issue doesn't occur.

I'm reasonably certain that the difference in my testing is that I'm copying the strings in the packet capture from the Wireshark "follow tcp stream" output and that's not necessarily the bit-for-bit accurate copy of the data as it arrived on the wire.

So my question is this: how can I get an EXACT copy of the bit-for-bit SMTP data and send it again for reproduction purposes? Is there a way to "replay" a transmission?

Mike B
  • 11,570
  • 42
  • 106
  • 165

1 Answers1

4

I hate to turn this into a discussion about tools, rather than about the technology involved, but you may want to look into the use of tcpreplay which takes .pcap files and replays them even at the same speed that they originally came in.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • 1
    ...that moment when you find out that there's a tool literally named exactly after the functionality you're seeking. :-( I promise I really did Google before posting! – Mike B Jun 01 '16 at 06:22
  • @MikeB That moment when I realize I fail at linking things in markdown. – Wesley Jun 01 '16 at 06:23
  • 1
    tcpreplay(1) manual in section "Bugs": "In most cases, you can not replay traffic back to/at a server.". There are multiple problems like port number the server gets from accept(2), randomised TCP sequence numbers etc. – kupson Jun 01 '16 at 06:31
  • So... sounds like this won't necessarily help then. Is there an alternative? – Mike B Jun 01 '16 at 22:05