Before using Wireshark to view email traffic, it's important to recognize that emails are exchanged between client and server using a variety of protocols:
SMTP (sending, no encryption)
To view SMTP traffic, enter the SMTP filter in Wireshark. In this example, we can see:
SMTP (sending, with encryption)
When a public certificate and private key are being used to encrypt email traffic, enter the IP address of the SMTP email server to view the encrypted packets exchanged between the client and server. Without the private key, you will not be able to view sensitive information, such as the sender or recipient email address, subject line of the email, or the body of the email. In this example, Wireshark show SSLv2, TLSv2, the key exchange, and the encrypted handshake.