Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Capturing Email Traffic

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Giles Coochey <giles@xxxxxxxxxxx>
Date: Wed, 29 Aug 2012 16:36:39 +0100
On 29/08/2012 08:20, RUOFF, LARS (LARS) wrote:

Hi Mike,

No, if someone would be using a different port for email, then Wireshark will not decode it as SMTP or POP in the first place. (Because the dissection for these protocols is based on a port preference. Meaning that Wireshark will only decode the packets as POP/SMTP if the traffic goes over the well known port numbers for these protocols)
What you would need is some sort of heuristics that can identify POP/SMTP from the packet data itself, but i don' think Wireshark has that built in for the moment.
Otherwise, if your email is unencrypted, you might just as well want to filter on common plain-text email headers within the data portion of any TCP traffic.

regards,
Lars
As Lars says - (POP or SMTP) will just identify traffic on ports 25 and 110, in order to do further you need protocol inspection of all traffic. Running snort over a RSPAN port of your internet VLAN might be able to perform this kind of inspection for you... you would probably have to write your own snort rule for this. 
http://www.snort.org


I would like to monitor the email traffic in and out of our network to make sure that no one is using the incorrect ports.  I need this information as I would like to setup a firewall rule that would only allow traffic to and from one specific server.  I think I have found the answer to this question but so far no information has been captured yet.
When I start the capture and in the display filter I am using "pop or smtp" as the expression which should tell me when there is that type of traffic.  Is this the correct way of doing this or is there a better way.
thanks for the help.
Mike
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Regards,

Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles@xxxxxxxxxxx

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube