Wireshark · Wireshark-dev: Re: [Wireshark-dev] SMTP: Extracting parametrs

Wireshark-dev: Re: [Wireshark-dev] SMTP: Extracting parametrs

From: "Abhik Sarkar" <sarkar.abhik@xxxxxxxxx>

Date: Thu, 12 Jun 2008 11:12:35 +0400

Dear Goitom,

My understanding is that SMTP (http://www.ietf.org/rfc/rfc2821.txt) is
only the envelope and the fields you are looking for are in IMF
(http://www.ietf.org/rfc/rfc2822.txt). Also see,
http://wiki.wireshark.org/IMF.

So, in general, if I am looking for these fields in particular, I
would expect to find them in the message and not on the envelope :-)

If I am mistaken, I am sure someone will correct me.

Regards,
Abhik.

On Thu, Jun 12, 2008 at 11:04 AM, goitom kahsay <goitom.mit2@xxxxxxxxx> wrote:
> Dear Abhik,
>
> Thank you very much for your help.
>
> But, do  you  think   IMF  packet always exist  in  all  smtp
> conversations?   Because i need to extract these parameters from all SMTP
> email communications.
>
>
> Thank you in advance.
>
> with best regards,
>
>
> On Wed, Jun 11, 2008 at 11:19 PM, Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
> wrote:
>>
>> Hi Goitom,
>>
>> I am not sure if you still have two requirements as you had earlier
>> (one for extraction of the from, to, subject and date fields and one
>> for display of these in a separate diaglog), but as I have suggested
>> before, I think you are better off using the IMF dissector instead of
>> the SMTP dissector. The IMF dissector supports extraction of all these
>> fields already.
>>
>> So, if you want to setup the tap, I think you are better off tapping
>> IMF. I think the best place would be in the "while(!last_field)" loop
>> in the dissect_imf function of epan/packet-imf.c. Just compare the
>> value of "key" against "from", "to", "subject" and "date" (after the
>> part the key has been converted to lower case) and you are on  your
>> way!
>>
>> If you want to display the records in a dialog, you will probably want
>> to base the dialog off the expert infos dialog (Analyze > Expert
>> Info). You can have columns for Frame number, From, To, Subject and
>> Date. Or, as I have suggested before, you can use the custom columns
>> feature (see the attached screenshot with a sample file from the WS
>> wiki).
>>
>> Unless you have some very specific requirements, I think the above
>> should work for you. I honestly hope this is of some help.
>>
>> Good luck!
>> Abhik
>> PS: While researching this, I came across a bug
>> (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2595) in the SMTP
>> dissector, so be sure to have your coloring rules turned on.
>>
>> On Tue, Jun 10, 2008 at 9:54 PM, goitom kahsay <goitom.mit2@xxxxxxxxx>
>> wrote:
>> > Dear Steve,
>> >
>> >  Thank you very much for you help.
>> > Yes, I  created gtk/export_object_smtp.c ,gtk/export_object2.c,
>> > export_object2.h and  packet-smtp.h similar to gtk/export_object_http.c
>> > ,gtk/export_object.c,export_object.h and packet-http.h.  and it
>> > dissplays
>> > some thing unreadable characters.
>> >
>> > But i doubt about retrieving the parameters from the
>> > packet-smtp.c(dissect_smtp_data) fuction which is used to display the
>> > data
>> > line by line to the protocol tree. Do u think it is  possible to
>> > retrieve
>> > these value from that function using tap mechanism?
>> >
>> > Thank u in advance.
>> > with best regards,
>> >
>> > On Mon, Jun 9, 2008 at 9:10 PM, Stephen Fisher
>> > <stephentfisher@xxxxxxxxx>
>> > wrote:
>> >>
>> >> On Fri, Jun 06, 2008 at 09:03:43PM +0300, goitom kahsay wrote:
>> >>
>> >> > I retrieved the parameters from the packet-smtp.c /dissect_smtp_data
>> >> > fuction which is used to display the data line by line at the
>> >> > protocol
>> >> > tree. i used a tap mechanism as follows.
>> >>
>> >> > But, the content of the parameter doesnot display on the GUI. Please
>> >> > can u help me any idea how to solve this problem. *
>> >>
>> >> Did you also create a gtk/export_object_smtp.c similar to
>> >> gtk/export_object_http.c and also add the new functions in
>> >> export_object_smtp.c to the File - Export - Objects menu as "SMTP" ?
>> >>
>> >>
>> >> Steve
>> >>
>> >> _______________________________________________
>> >> Wireshark-dev mailing list
>> >> Wireshark-dev@xxxxxxxxxxxxx
>> >> https://wireshark.org/mailman/listinfo/wireshark-dev
>> >
>> >
>> >
>> > --
>> > Benice2all
>> > _______________________________________________
>> > Wireshark-dev mailing list
>> > Wireshark-dev@xxxxxxxxxxxxx
>> > https://wireshark.org/mailman/listinfo/wireshark-dev
>> >
>> >
>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>
>
>
>
> --
> Benice2all
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>
>

Follow-Ups:
- Re: [Wireshark-dev] SMTP: Extracting parametrs
  - From: goitom kahsay

References:
- Re: [Wireshark-dev] SMTP: Extracting parametrs
  - From: goitom kahsay
- Re: [Wireshark-dev] SMTP: Extracting parametrs
  - From: Stephen Fisher
- Re: [Wireshark-dev] SMTP: Extracting parametrs
  - From: goitom kahsay
- Re: [Wireshark-dev] SMTP: Extracting parametrs
  - From: Abhik Sarkar
- Re: [Wireshark-dev] SMTP: Extracting parametrs
  - From: goitom kahsay

Prev by Date: Re: [Wireshark-dev] Start Dissection from an upper layer?
Next by Date: [Wireshark-dev] problem to register own protoco...
Previous by thread: Re: [Wireshark-dev] SMTP: Extracting parametrs
Next by thread: Re: [Wireshark-dev] SMTP: Extracting parametrs
Index(es):
- Date
- Thread