From owner-freebsd-isp@FreeBSD.ORG  Tue Apr 13 11:02:13 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 773B916A4CE
	for <freebsd-isp@freebsd.org>; Tue, 13 Apr 2004 11:02:13 -0700 (PDT)
Received: from morpheus.mind.net (morpheus.mind.net [69.9.130.12])
	by mx1.FreeBSD.org (Postfix) with SMTP id 30B2843D39
	for <freebsd-isp@freebsd.org>; Tue, 13 Apr 2004 11:02:13 -0700 (PDT)
	(envelope-from jfox@morpheus.mind.net)
Received: (qmail 13677 invoked by uid 1001); 13 Apr 2004 18:03:23 -0000
Date: Tue, 13 Apr 2004 11:03:23 -0700
From: John Fox <readbsd@mind.net>
To: freebsd-isp@freebsd.org
Message-ID: <20040413180323.GA13554@mind.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Quip: Fly the white flag of war!
Subject: tcpdump for sniffing POP3 -- methods ?
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2004 18:02:13 -0000

We've got a Windows machine running IMail and authenticating
POP3 from an NT Primary Domain Controller.

Our plan is to move these users over to our UNIX system, but we
don't have a record of their passwords.  This means we need to
either

1) Grab them out of the files on the PDC. (I think this is
not possible.)

2) Obtain them by sniffing the POP3 traffic being sent
to the Imail server.

I think #2 is the only possibility, and I haven't made much
use of tcpdump, so while I do know how to run it and 
specify a host to listen to, I've no idea how to isolate
the clear-text stuff (containing the usernames and passwords)
from all the other traffic.

Any suggestions would be greatly appreciated.

With thanks and regards,

-John
--
+---------------------------------------------------------------------------+
| John Fox <jjf @ mind.net>    |   System Administrator   | InfoStructure   |
+---------------------------------------------------------------------------+
| I used to trust the media to tell me the truth, tell us the truth         |
| But now I've seen the payoffs everywhere I look                           |
| Who can you trust when everyone's a crook?                                |
|             -- Queensryche, "Revolution Calling"                          |
+---------------------------------------------------------------------------+