Re: Retrieving email address from a wireshark capture

[M Holt <m.iostreams () gmail com>]

My apologies, I have been tied up and haven't checked these emails for a
bit.

In the situation you described below, the answer is most likely no.
Here is the problem, gmail is a webmail service.  You can configure it so
that you can have it deliver mail to you, and if that were the case, you
would be able to watch the smtp traffic.
However, most people don't do that, so you more than likely, your user is
logging into the web page to read email.

As you referenced, one gmail user is sending to another gmail user - but
both have just logged into the gmail webpage to read, compose, etc - nothing
has been "sent".
So, the question becomes, can you sniff web traffic on your network and pull
out a webmail address.

Well, the answer is again, most likely no.

The reason is because gmail is going to use SSL to encrypt the pages by
default - you won't be able to see the web page payload.
There is an option in gmail to disable https, but if you have user that is
not so savvy, they probably wouldn't be able to find the setting.
If the user IS savvy, then they probably wouldn't disable that setting ;)

I hope that helps and that it wasn't too late.

If you do ever need to just sniff normal smtp traffic, you might try a
filter something like this:

smtp.req.parameter contains "FROM" || smtp.req.parameter contains "TO"

Best regards,

Mike

On Thu, Oct 15, 2009 at 9:49 AM, Firdous Saleheen <
saleheen.firdous () mango com bd> wrote:

> Dear Mike,
> Thanks for your prompt response.
> Say, I have a router with SPAN port option, hence have the capability to
> capture a copy of all the traffic running through that router. Now I need to
> capture the email address in that traffic, its body is not important. Say,
> someone from the internet write an email from gmail to a user under my
> network who is also using the gmail address. Is it possible for me to
> capture the traffic and extract these two gmail addresses with the help of
> wireshark? If possible, can you please suggest specifically how can I do
> that with wireshark? Or if you have a better idea can you please share?
>
> lots of thanks
>
> Best Regards,
> Saleheen
>
>
> Hi,
>
> It seems that would depend on how you are trying to capture the email
> address...
> Are you using Wireshark on your desktop, and trying to capture your own
> email as it goes out?
> Do you have a tap on a switch somewhere that is sniffing all traffic, and
> you want to just pull email traffic only?
> You could probably start by filtering known email ports - 25, 110, etc.
> It really depends on where you are at within your topology, and what kind
> of
> visibility you have to the email traffic passing through.
>
> For example, you won't be able to pull email traffic out of a VPN tunnel by
> just having a hub stuck on the network somewhere - does that help?
>
> Mike
>
> On Thu, Oct 15, 2009 at 3:38 AM, Firdous Saleheen <
> saleheen.firdous () mango com bd> wrote:
>
>  Hi,
>  I am a newbee with wireshark. Does anyone know whether it is possible to
>  retrieve email addresses  from a wireshark capture? If possible can anyone
>  please let me know the method?
>
> Thanks in advance.
>
> Best Regards,
>
> *Firdous Saleheen*
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe