Use tcpdump. You can use ethereal afterwards to examine the captured packets.

The command you want is:

Code:

---

tcpdump -i <interfacename> -w capture.log -s <packetsize> port 25 or port 110

---

I don't know how your network is set up, but you probably want to use your internal interface for the capture. The "-s" option allows you to specify how much of the packet you want to see. By default (that is, if you leave off the -s option altogether), it only captures just enough to see the first few bytes of payload data. If you want it to capture the whole packet, make it bigger than your MTU size. (I usually just pick a large, arbitrary number, like 50000.) Port 25 is SMTP and port 110 is POP3. Chances are that your ISP isn't concerned with the POP stuff, as mail is not sent out that way, though it may be a vector for your users getting infected. I'd just leave off the "or port 110" part of the command unless you can't find anything in only the SMTP traffic.

After you're done capturing (just press Ctrl-C), ethereal should be able to open the "capture.log" capture file. I'm pretty sure it understands tcpdump logs out of the box.