How to Install and Use tcpflow
tcpflow is a program that captures and stores or displays data transmitted on a TCP/IP network. If you do this, you will have something specific to complain about when you ring the experts. In addition,I have found that sometimes just running tcpflow will clear up the problem I am experiencing.
Download the Mac OS X version of tcpflow (freeware) here. Another application you might want to try is EavesDrop.
Learn more about using tcpflow here. Also see Marc Liyanage's short version on using tcpflow.
My really short version on using tcpflow:
When you install, you will not find a tcpflow window, nor an icon on your dock. tcpflow is designed to work in the background.
To run the test for email, quit all other applications that might be connecting to the internet like your browser, ftp client.
Copy/paste in this command in the Terminal or use this script:
sudo /usr/local/bin/tcpflow -i en0 -cNow try to send the email and watch the traffic in the window of the Terminal. You should see what is failing.
See example of traffic below
Once you have installed tcpflow, you can activate it from the terminal. You will need the administrator password. Just copy one of the lines below into the terminal. Be careful with extra spaces at the end. The Terminal Window will show the traffic so you can monitor the problem.
For Ethernet port enter: sudo /usr/local/bin/tcpflow -i en0 -c
For PPP port enter: sudo /usr/local/bin/tcpflow -i ppp0 -c
If you are still using OS 10.1:
For Ethernet port enter: sudo tcpflow -c -i en0
For PPP port enter: sudo tcpflow -c -i ppp0
There are interesting options you can use to have a better "signal to noise" ratio through these commands (people usually get completely lost in the amount of data the get through these commands).
You can restrict the "sniffing" to a specific server or a specific protocol
Eg: to get traffic for your mail.mac.com server through your Ethernet connection, use:
sudo tcpflow -c -i en0 host mail.mac.com
Similarely, this command will get all data going through POP over the Ethernet connection:
sudo tcpflow -c -i en0 tcp port 110
You can also redirect the result to a file:
sudo tcpflow -c -i en0 host mail.mac.com > ~/Desktop/tcpflow-result.txt
Example of traffic between Entourage and ISP
In this example, my account in Entourage was showing 54 messages but was stuck trying to download. The log from tcpflow indicated it was the first message. RETR 1 shows it was retrying to download message 1. I used my webmail to view and delete the oldest message then Entourage was able to download all messages on the server.
Last login: Fri Feb 2 16:56:27 on ttyp1 sudo /usr/local/bin/tcpflow -i en0 -c Welcome to Darwin! diane-ross-power-mac-g4:~ diane$ sudo /usr/local/bin/tcpflow -i en0 -c /usr/local/bin/tcpflow[1979]: listening on en0 206.018.177.080.00110-192.168.001.103.59370: +OK (alnrpxc16) Maillennium POP3/PROXY server #47
192.168.001.103.59370-206.018.177.080.00110: USER diane
206.018.177.080.00110-192.168.001.103.59370: +OK
192.168.001.103.59370-206.018.177.080.00110: PASS xxxxxx
206.018.177.080.00110-192.168.001.103.59370: +OK ready
192.168.001.103.59370-206.018.177.080.00110: UIDL
206.018.177.080.00110-192.168.001.103.59370: +OK 54 messages (90334)
1 20070201030722a220048qhve000did 2 20070201092622a21006k3a7e000die 3 20070201095456r2400bv239e000dif 4 20070201111053r11005f68me000dig edited for brevity 54 20070203002041r2400euc5re000dk2
192.168.001.103.59370-206.018.177.080.00110: LIST
206.018.177.080.00110-192.168.001.103.59370: +OK 54 messages (90334)
1 1437 2 2082 3 1510 4 2204 edited for brevity 54 2621
192.168.001.103.59370-206.018.177.080.00110: RETR 1
The following explains in more detail what you see in a tcpflow report:
192.168.001.104.49513-206.018.177.080.00110: RETR 455
192.168.001.104.49513-206.018.177.080.00110: RETR 455
Lines above are a combination of an IP and Port number, at the end it lists the operation, RETR = Msg retrieval ...
192.168.001.104 = Your IP (Entourage Client Machine), 49513 = The port being used by Entourage to talk to your POP Server
206.018.177.080 = The POP Server you are connecting to using your Entourage, 00110 = Port for POP protocol
RETR = retry