This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark decode SMTP

0

I'm analyzing a SMTP transfer and not sure what Wireshark is reporting in the Info section of "D: DATA fragment, xx bytes". Has anyone seen this before?

asked 03 Dec '12, 13:01

ws2006's gravatar image

ws2006
1121214
accept rate: 0%

One Answer:

1

The content of an email (headers + body) is sent after the SMTP DATA command. If that content is larger than one TCP segment, Wireshark will show every packet that belongs to the DATA "command" as "C: DATA fragment" in the Info column. So, those packets are basically the content of the email.

You can see the whole SMTP communication.

  • select any packet of the SMTP connection
  • right click the packet
  • select "Follow TCP Stream"

Regards
Kurt

answered 03 Dec '12, 13:21

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 03 Dec '12, 13:27

Thanks Kurt. It's the DATA Fragment in the info that i was concerned with.

(04 Dec '12, 06:51) ws2006

It's just an info, that Wireshark detected one part (one fragment) of the mail message.

what concerns do you have?

(04 Dec '12, 08:03) Kurt Knochner ♦