On Thu, 29 May 2003, Gerald Combs wrote:

> Tcpdump isn't quite suited to a task like this.  You might try using
> dsniff, ngrep, or any of the password-specific tools listed at
> 
>     http://neworder.box.sk/codebox.links.php?&key=sniff
> 
> You could also run John the Ripper on the shadow file directly (assuming
> they have a shadow file, of course):
> 
>     http://www.openwall.com/john/

SHEEESH!  How could I forget?  You could also do

    tethereal port 110 | egrep 'USER|PASS'