#!/usr/bin/awk -f
# add tcp follow-transaction to tcpdump
# tcpdump -t -nn -l -i eth0 -s 0 -x tcp port 25 |
# OFFSET is 52 for IPv4 + Timestamp Option + TCP 
BEGIN {
  if (! TARGET) { TARGET = "10.0.2.26.25"; }
  if (! REGEXP) { REGEXP = "552 5.0.0 Headers too large"; }
  if (! DELIM ) { DELIM  = "##### TRANSACTION #####"; }
  if (! OFFSET) { OFFSET = 52; }
  FLAGS = "[S";
}

function unhex(hex,    c) {
  c = strtonum("0x" hex);
  return ( c == 0x0a || (c >= 0x20 && c < 0x7f) ) ? sprintf("%c", c) : " ";
}

function process(hold,    i, n) {
  if ( substr(FLAGS, 2, 1) == "S" ) { return; }
  if ( substr(FLAGS, 2, 1) == "R" ) { return; }
  if ( substr(FLAGS, 2, 1) == "F" ) {
    if ( ! (KEY in pkts) ) { return; }
    if ( match( pkts[KEY], REGEXP ) ) {
      printf("%s\n%s\n", DELIM, pkts[KEY]);
    }
    delete pkts[KEY];
    return;
  }
  gsub(/[a-f0-9][a-f0-9]/, "& ", hold);
  n = split(hold, fields);
  for (i=OFFSET+1; i <= n; i++) {
    pkts[KEY] = pkts[KEY] unhex(fields[i]);
  }
}

/^IP/ {
  process(hold); hold = "";
  gsub(/:/, "", $0);
  src = $2 ; dst = $4; FLAGS = $6;
  KEY = (src == TARGET) ? dst : src;
}
$1 ~ /0x/ {
  $1 = "";
  hold = hold " " $0;
}