Wireshark mailing list archives
Re: Capturing Email Traffic
From: Giles Coochey <giles () coochey net>
Date: Wed, 29 Aug 2012 16:36:39 +0100
On 29/08/2012 08:20, RUOFF, LARS (LARS) wrote:
As Lars says - (POP or SMTP) will just identify traffic on ports 25 and 110, in order to do further you need protocol inspection of all traffic. Running snort over a RSPAN port of your internet VLAN might be able to perform this kind of inspection for you... you would probably have to write your own snort rule for this.Hi Mike, No, if someone would be using a different port for email, then Wireshark will not decode it as SMTP or POP in the first place. (Because the dissection for these protocols is based on a port preference. Meaning that Wireshark will only decode the packets as POP/SMTP if the traffic goes over the well known port numbers for these protocols) What you would need is some sort of heuristics that can identify POP/SMTP from the packet data itself, but i don' think Wireshark has that built in for the moment. Otherwise, if your email is unencrypted, you might just as well want to filter on common plain-text email headers within the data portion of any TCP traffic. regards, Lars
http://www.snort.org
I would like to monitor the email traffic in and out of our network to make sure that no one is using the incorrect ports. I need this information as I would like to setup a firewall rule that would only allow traffic to and from one specific server. I think I have found the answer to this question but so far no information has been captured yet. When I start the capture and in the display filter I am using "pop or smtp" as the expression which should tell me when there is that type of traffic. Is this the correct way of doing this or is there a better way. thanks for the help. Mike ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles () coochey net
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Capturing Email Traffic Mike Dodson (Aug 28)
- Re: Capturing Email Traffic RUOFF, LARS (LARS) (Aug 29)
- Re: Capturing Email Traffic Giles Coochey (Aug 29)
- Re: Capturing Email Traffic RUOFF, LARS (LARS) (Aug 29)