Before using Wireshark to view email traffic, it's important to recognize that emails are exchanged between client and server using a variety of protocols:

• SMTP (sending, no encryption) - port 25
• SMTPs (sending, with encryption) - port 587
• POP3 (retrieving, no encryption) - port 110
• POP3s (retrieving, with encryption) - port 995
• IMAP (retrieving, no encryption) - port 143
• IMAPs (retrieving, with encryption) - port 993

SMTP (sending, no encryption)

To view SMTP traffic, enter the SMTP filter in Wireshark. In this example, we can see:

• Sender email address
• Recipient email address
• Sender first and last name
• Subject line of the email
• Body of the email

SMTP (sending, with encryption)

When a public certificate and private key are being used to encrypt email traffic, enter the IP address of the SMTP email server to view the encrypted packets exchanged between the client and server. Without the private key, you will not be able to view sensitive information, such as the sender or recipient email address, subject line of the email, or the body of the email. In this example, Wireshark show SSLv2, TLSv2, the key exchange, and the encrypted handshake.