How to view email traffic using Wireshark

Home > Search > How-to
  by

Before using Wireshark to view email traffic, it's important to recognize that emails are exchanged between client and server using a variety of protocols:

  • SMTP (sending, no encryption) - port 25
  • SMTPs (sending, with encryption) - port 587
  • POP3 (retrieving, no encryption) - port 110
  • POP3s (retrieving, with encryption) - port 995
  • IMAP (retrieving, no encryption) - port 143
  • IMAPs (retrieving, with encryption) - port 993

SMTP (sending, no encryption)

To view SMTP traffic, enter the SMTP filter in Wireshark. In this example, we can see:

  • Sender email address
  • Recipient email address
  • Sender first and last name
  • Subject line of the email
  • Body of the email

 


SMTP (sending, with encryption)

When a public certificate and private key are being used to encrypt email traffic, enter the IP address of the SMTP email server to view the encrypted packets exchanged between the client and server. Without the private key, you will not be able to view sensitive information, such as the sender or recipient email address, subject line of the email, or the body of the email. In this example, Wireshark show SSLv2, TLSv2, the key exchange, and the encrypted handshake.

 

 

 

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments