Wireshark - View email traffic

Before using Wireshark to view email traffic, it's important to recognize that emails are exchanged between client and server using a variety of protocols:

  • SMTP (sending, no encryption) - port 25
  • SMTPs (sending, with encryption) - port 587
  • POP3 (retrieving, no encryption) - port 110
  • POP3s (retrieving, with encryption) - port 995
  • IMAP (retrieving, no encryption) - port 143
  • IMAPs (retrieving, with encryption) - port 993

SMTP (sending, no encryption)

To view SMTP traffic, enter the SMTP filter in Wireshark. In this example, we can see:

  • Sender email address
  • Recipient email address
  • Sender first and last name
  • Subject line of the email
  • Body of the email


SMTP (sending, with encryption)

When a public certificate and private key are being used to encrypt email traffic, enter the IP address of the SMTP email server to view the encrypted packets exchanged between the client and server. Without the private key, you will not be able to view sensitive information, such as the sender or recipient email address, subject line of the email, or the body of the email. In this example, Wireshark show SSLv2, TLSv2, the key exchange, and the encrypted handshake.





Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 0200b in the box below so that we can be sure you are a human.


November 28th, 2020 by Larry bird