Soussan DAS Computer Consultants

Our Team
Cool Stuff
KeyholeKeyboardLaptop ComputerComputer Chip

The Power of a Network Sniff

In this case, the client called after many months of their copier, which can also scan to a PDF file and email the document, never scanning and emailing right. They didn't try to use it often because it hadn't worked since day #1. It actually wasn't the primary reason for the call, but kind of a "While you are at it, can you look at this?"

And my goal in writing this isn't to show you where the problem is with your copier / scanner, because there are thousands of reasons you might have the exact same problem.

My goal is to show you just how powerful a network sniff can be. To maybe inspire you to download and install one of the free tools, take a look at some network data, and maybe fix yourself something instead of living in frustration that things aren't working right or blaming the copier company. 

Click Here for Press Release

This is the real network sniff! Raw and unedited!

Normally, I sanitize any client information out of any article. But in this case, the client gave me permission to show everything as the sniffer saw it, so you will get to see exactly what I saw, and hopefully the problem will jump out at you just as quickly as it did with me.


"When I scan to email, it never comes through. The log just shows an error transmitting. When I go into the configuration and test email, it says it connects fine. HELP!"

Diagnostic procedure:

Start Wireshark on your email server (2nd choice, what they used because the copier was located a couple hundred miles away) or on a hub connected to the copier's network port (first choice, because I don't know if the copier can even talk to the email server). Start up a capture with a capture filter to just look at data to / from this particular copier. This was done to limit the amount of data I would have to look through. Then scan a 1 page item to an email, when done stop the capture and send it to me.


Here it is - all screen shots are thumbnails of the full size image - click to get the full image:

Looks like colorful gobbledegook, right? Fear not ... I'll walk you through this capture.

There are 32 packets in the whole capture. See the label SMTP in the protocol column, starting on packet 4? I'm going to right click that packet and say "Follow TCP Stream":

This is the opening conversation between a mail server and a client computer / device that wants to send some mail, which in this case is the copier. The lines in read are from the copier to the mail server and blue are coming from the mail server back to the copier.

So upon connection, the first line is the server saying hello to the copier, the second line is the copier saying hello back. This is not meant to be a whole tutorial on SMTP - in fact, the exact opposite - you really don't need to know anything about SMTP to see what is wrong.

The next blue lines that all start with 250 are the mail server telling the copier what features it has. General information, not important you understand that.

The line in red starting with "MAIL FROM:" is the copier giving the mail server the address that is sending this email message.

And the last line, "501 5.7.1 Invalid Address" is the mail server telling the copier that it doesn't like the email address the copier said it was sending from.

That address is "AuroraSLFCopier@aurora" and that address has a space in it.

Spaces are not allowed in email addresses!

This was literally 5 seconds from data sniff in hand to diagnosing the root problem!

So there you have it - you know what is going on (the copier is sending an illegal email address as its FROM: address) and you can dig through the configuration settings in the copier to find and change it to an address that is legal. Once that was done, everything worked perfectly.