Wireshark · Wireshark-dev: Re: [Wireshark-dev] SMTP: Extracting parametrs

["goitom kahsay" <goitom.mit2@xxxxxxxxx>]

Dear Abhik,

I really appriciate for your help.

I am using wireshark version 1.0.0.

I checked preferences->protocols->SMTP:

Both Reassemble SMTP command and response lines spanning multiple TCP segments and Reassemble SMTP DATA commands spanning multiple TCP segments are enabled.

Both view->colorize packet list and view-> coloring rules are also enbled.

If I open the sample-imf.pcap, I see IMF layer data in frame 69 and i also open other sample files.But ,I donot see IMF on same of the sample files. I also checked these files using the following commands.

1.$ tshark -r smtp.pcap -e imf.from -e  imf.to -e imf.subject -T
fields                                      But, I couldnot see any of the parameters.

2. $ tshark -V -r smtp.pcap | egrep "Subject:|From:|To:|Date:" The parameters displayed

3.Using FOLLOW TCP STREAM the parameters displayed.

1. What do you think the reason for not displaying IMF on all the sample files? or

2. Do you think the sample files may have any problem?

Thank you in advance,

With Best Regards,

On Thu, Jun 12, 2008 at 10:12 AM, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:

Dear Goitom,

My understanding is that SMTP (http://www.ietf.org/rfc/rfc2821.txt) is
only the envelope and the fields you are looking for are in IMF
(http://www.ietf.org/rfc/rfc2822.txt). Also see,
http://wiki.wireshark.org/IMF.

So, in general, if I am looking for these fields in particular, I
would expect to find them in the message and not on the envelope :-)

If I am mistaken, I am sure someone will correct me.

Regards,
Abhik.

On Thu, Jun 12, 2008 at 11:04 AM, goitom kahsay <goitom.mit2@xxxxxxxxx> wrote:
> Dear Abhik,
>
> Thank you very much for your help.
>
> But, do  you  think   IMF  packet always exist  in  all  smtp
> conversations?   Because i need to extract these parameters from all SMTP
> email communications.
>
>
> Thank you in advance.
>
> with best regards,
>
>
> On Wed, Jun 11, 2008 at 11:19 PM, Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
> wrote:
>>
>> Hi Goitom,
>>
>> I am not sure if you still have two requirements as you had earlier
>> (one for extraction of the from, to, subject and date fields and one
>> for display of these in a separate diaglog), but as I have suggested
>> before, I think you are better off using the IMF dissector instead of
>> the SMTP dissector. The IMF dissector supports extraction of all these
>> fields already.
>>
>> So, if you want to setup the tap, I think you are better off tapping
>> IMF. I think the best place would be in the "while(!last_field)" loop
>> in the dissect_imf function of epan/packet-imf.c. Just compare the
>> value of "key" against "from", "to", "subject" and "date" (after the
>> part the key has been converted to lower case) and you are on  your
>> way!
>>
>> If you want to display the records in a dialog, you will probably want
>> to base the dialog off the expert infos dialog (Analyze > Expert
>> Info). You can have columns for Frame number, From, To, Subject and
>> Date. Or, as I have suggested before, you can use the custom columns
>> feature (see the attached screenshot with a sample file from the WS
>> wiki).
>>
>> Unless you have some very specific requirements, I think the above
>> should work for you. I honestly hope this is of some help.
>>
>> Good luck!
>> Abhik
>> PS: While researching this, I came across a bug
>> (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2595) in the SMTP
>> dissector, so be sure to have your coloring rules turned on.
>>
>> On Tue, Jun 10, 2008 at 9:54 PM, goitom kahsay <goitom.mit2@xxxxxxxxx>
>> wrote:
>> > Dear Steve,
>> >
>> >  Thank you very much for you help.
>> > Yes, I  created gtk/export_object_smtp.c ,gtk/export_object2.c,
>> > export_object2.h and  packet-smtp.h similar to gtk/export_object_http.c
>> > ,gtk/export_object.c,export_object.h and packet-http.h.  and it
>> > dissplays
>> > some thing unreadable characters.
>> >
>> > But i doubt about retrieving the parameters from the
>> > packet-smtp.c(dissect_smtp_data) fuction which is used to display the
>> > data
>> > line by line to the protocol tree. Do u think it is  possible to
>> > retrieve
>> > these value from that function using tap mechanism?
>> >
>> > Thank u in advance.
>> > with best regards,
>> >
>> > On Mon, Jun 9, 2008 at 9:10 PM, Stephen Fisher
>> > <stephentfisher@xxxxxxxxx>
>> > wrote:
>> >>
>> >> On Fri, Jun 06, 2008 at 09:03:43PM +0300, goitom kahsay wrote:
>> >>
>> >> > I retrieved the parameters from the packet-smtp.c /dissect_smtp_data
>> >> > fuction which is used to display the data line by line at the
>> >> > protocol
>> >> > tree. i used a tap mechanism as follows.
>> >>
>> >> > But, the content of the parameter doesnot display on the GUI. Please
>> >> > can u help me any idea how to solve this problem. *
>> >>
>> >> Did you also create a gtk/export_object_smtp.c similar to
>> >> gtk/export_object_http.c and also add the new functions in
>> >> export_object_smtp.c to the File - Export - Objects menu as "SMTP" ?
>> >>
>> >>
>> >> Steve
>> >>
>> >> _______________________________________________
>> >> Wireshark-dev mailing list
>> >> Wireshark-dev@xxxxxxxxxxxxx
>> >> https://wireshark.org/mailman/listinfo/wireshark-dev
>> >
>> >
>> >
>> > --
>> > Benice2all
>> > _______________________________________________
>> > Wireshark-dev mailing list
>> > Wireshark-dev@xxxxxxxxxxxxx
>> > https://wireshark.org/mailman/listinfo/wireshark-dev
>> >
>> >
>>
>> _______________________________________________
>> Wireshark-dev mailing list
>> Wireshark-dev@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-dev
>>
>
>
>
> --
> Benice2all
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>
>
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-dev

-- 
Benice2all