Re: Capturing Email Traffic

["RUOFF, LARS (LARS)" <lars.ruoff () alcatel-lucent com>]

Hi Mike,

No, if someone would be using a different port for email, then Wireshark will not decode it as SMTP or POP in the first 
place. (Because the dissection for these protocols is based on a port preference. Meaning that Wireshark will only 
decode the packets as POP/SMTP if the traffic goes over the well known port numbers for these protocols)
What you would need is some sort of heuristics that can identify POP/SMTP from the packet data itself, but i don' think 
Wireshark has that built in for the moment.
Otherwise, if your email is unencrypted, you might just as well want to filter on common plain-text email headers 
within the data portion of any TCP traffic.

regards,
Lars 

________________________________

From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Mike 
Dodson
Sent: mercredi 29 août 2012 00:49
To: wireshark-users () wireshark org
Subject: [Wireshark-users] Capturing Email Traffic


I would like to monitor the email traffic in and out of our network to make sure that no one is using the incorrect 
ports.  I need this information as I would like to setup a firewall rule that would only allow traffic to and from one 
specific server.  I think I have found the answer to this question but so far no information has been captured yet.  
When I start the capture and in the display filter I am using "pop or smtp" as the expression which should tell me when 
there is that type of traffic.  Is this the correct way of doing this or is there a better way.  
thanks for the help.
Mike 
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe