Bootstrap FreeKB - Wireshark - View email traffic
Wireshark - View email traffic

Updated:   |  Wireshark articles

Before using Wireshark to view email traffic, it's important to recognize that emails are exchanged between client and server using a variety of protocols:

  • SMTP (sending, no encryption) - port 25
  • SMTPs (sending, with encryption) - port 587
  • POP3 (retrieving, no encryption) - port 110
  • POP3s (retrieving, with encryption) - port 995
  • IMAP (retrieving, no encryption) - port 143
  • IMAPs (retrieving, with encryption) - port 993

SMTP (sending, no encryption)

To view SMTP traffic, enter the SMTP filter in Wireshark. In this example, we can see:

  • Sender email address
  • Recipient email address
  • Sender first and last name
  • Subject line of the email
  • Body of the email


SMTP (sending, with encryption)

When a public certificate and private key are being used to encrypt email traffic, enter the IP address of the SMTP email server to view the encrypted packets exchanged between the client and server. Without the private key, you will not be able to view sensitive information, such as the sender or recipient email address, subject line of the email, or the body of the email. In this example, Wireshark show SSLv2, TLSv2, the key exchange, and the encrypted handshake.





Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


November 28 2020 by Larry bird

Add a Comment

Please enter dcaad6 in the box below so that we can be sure you are a human.