On 29 May 2003, brad wrote:

> I have an ISP that does not have a record of their user's passwords and
> we are converting them over to our system in a month.  I need to run a
> script that will capture all pop3 passwords over the next month so I can
> have a good record to enter into our system.  I started out using
> tcpdump port 110 -w <file> and then use strings on the file.  I can see
> all the USER lines and the PASS lines, but I don't know how to rework
> the file to get USER/PASS in a readable and matched form.  I also need
> to keep the file from storin all the other lines it captures so that my
> file doesn't grow so large.  Any ideas?

Tcpdump isn't quite suited to a task like this.  You might try using
dsniff, ngrep, or any of the password-specific tools listed at

    http://neworder.box.sk/codebox.links.php?&key=sniff

You could also run John the Ripper on the shadow file directly (assuming
they have a shadow file, of course):

    http://www.openwall.com/john/