To capture SMTP traffic without pulling in *most of the message data:
port 25 and (tcp[12] & 0xf0>0x50 or tcp[13] & 0x07 != 0 or tcp[20:4] =
0x48454C4F or tcp[20:4] = 0x4D41494C or tcp[20:4] = 0x52435054 or tcp[20:4]
= 0x44415441 or tcp[20:4] = 0x52534554 or tcp[20:4] = 0x53454E44 or
tcp[20:4] = 0x534F4D4C or tcp[20:4] = 0x53414D4C or tcp[20:4] = 0x56524659
or tcp[20:4] = 0x4558504E or tcp[20:4] = 0x4E4F4F50 or tcp[20:4] =
0x51554954 or tcp [20:4] = 0x5455524E or tcp[20:4] = 0x32323120 or
tcp[20:4] = 0x32323420 or tcp[20:4] = 0x32353020 or tcp[20:4] = 0x32353120
or tcp[20:4] = 0x33353420 or tcp[20:4] = 0x34323120 or tcp[20:4] =
0x34353020 or tcp[20:4] = 0x34353120 or tcp[20:4] = 0x34353220 or tcp[20:4]
= 0x35303020 or tcp[20:4] = 0x35303120 or tcp[20:4] = 0x35303220 or
tcp[20:4] = 0x35303320 or tcp[20:4] = 0x35303420 or tcp[20:4] = 0x35353020
or tcp[20:4] = 0x35353120 or tcp[20:4] = 0x35353220 or tcp[20:4] =
0x35353320 or tcp[20:4] = 0x35353420)
*This filter captures SMTP commands and response codes, connection
initiation and teardown as well as tcp segments with options.
It is a generally suitable filter for use where the sender/receipient's
privacy (message body) should be respected and to minimize the amount of
data captured.
Hope this helps,
Mike
