Wireshark mailing list archives

Re: Capturing Email Traffic

From: Giles Coochey <giles () coochey net>
Date: Wed, 29 Aug 2012 16:36:39 +0100

On 29/08/2012 08:20, RUOFF, LARS (LARS) wrote:

Hi Mike,

No, if someone would be using a different port for email, then Wireshark will not decode it as SMTP or POP in the first 
place. (Because the dissection for these protocols is based on a port preference. Meaning that Wireshark will only 
decode the packets as POP/SMTP if the traffic goes over the well known port numbers for these protocols)
What you would need is some sort of heuristics that can identify POP/SMTP from the packet data itself, but i don' think 
Wireshark has that built in for the moment.
Otherwise, if your email is unencrypted, you might just as well want to filter on common plain-text email headers 
within the data portion of any TCP traffic.

regards,
Lars

As Lars says - (POP or SMTP) will just identify traffic on ports 25 and110, in order to do further you need protocol inspection of all traffic.Running snort over a RSPAN port of your internet VLAN might be able toperform this kind of inspection for you... you would probably have towrite your own snort rule for this.

http://www.snort.org

I would like to monitor the email traffic in and out of our network to make sure that no one is using the incorrect 
ports.  I need this information as I would like to setup a firewall rule that would only allow traffic to and from one 
specific server.  I think I have found the answer to this question but so far no information has been captured yet.
When I start the capture and in the display filter I am using "pop or smtp" as the expression which should tell me when 
there is that type of traffic.  Is this the correct way of doing this or is there a better way.
thanks for the help.
Mike
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request () wireshark org?subject=unsubscribe



--
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles () coochey net

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Capturing Email Traffic Mike Dodson (Aug 28)
- Re: Capturing Email Traffic RUOFF, LARS (LARS) (Aug 29)
  - Re: Capturing Email Traffic Giles Coochey (Aug 29)