This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture POP3 packets

0

Hello

Im trying to analyze the POP3 traffic on my network but Wireshark doesn't capture anything on port 110 nor 995. What does this mean? Why can't I see any packets? Shouldn't I be able to even though they are encrypted?

Thank you

asked 12 Apr '13, 02:23

Metall's gravatar image

Metall
11223
accept rate: 0%


One Answer:

2

Yes, you should be if your capture setup is correct. You're saying you try to "analyze on your network" - does that mean that you want to capture packets from PCs other than the one you're on? If so, you need to do a SPAN or TAP session. For more information on how to capture packets on a network, try this Wiki page: http://wiki.wireshark.org/CaptureSetup/Ethernet

On a side note: POP3 on port 110 is usually not encrypted, that is what port 995 is used for.

answered 12 Apr '13, 02:27

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Yes thats right. I want to capture the packets from other PC's then mine. So I have to do a SPAN session in which I need to have access to the switch? Isn't there some other way? I thought Wireshark capture all traffic on the network, including what other hosts on the network is sending/recieveing :O

(12 Apr '13, 02:59) Metall

Yes, you need a SPAN session, and for that you need to access the switch, which also means that it needs to be manageable and providing a SPAN port feature.

And no, Wireshark can only capture the packets that make it to the network card you're capturing on. In a switched network that will only mean unicasts that are directed at your card, broadcasts and multicasts. If you want to see more than that you need to SPAN the other machine(s) to force the switch to send you their packets as well.

The times of seeing everything other hosts send and receive are over since we replaced all the hubs with switches ;-)

(I converted your answer to a comment)

(12 Apr '13, 03:02) Jasper ♦♦

Oh I see. But do you know about other software that can capture packets that is sent/recieved on other hosts on the network? I am doing an evaluation on the network considered to security. I am doing an undergraduated thesis and is on a company network, so I can not enter switches and routers. I am suppose to look and analyze the nework to see how much an intruder can see.

(12 Apr '13, 03:21) Metall

No sniffing software can do this unless the packets arrive at the capturing card for some reason. The "legal" way of doing that is using SPAN ports, as you already know. The "illegal" way would be to apply hacking techniques like ARP cache poisoning, like the windows tool "Cain & Abel" does. It forces the switch to redirect packets to your card by "spreading lies" on the network.

The usual answer to the question what an intruder can see is "not much, except broadcasts, multicasts and sometimes single flooded unicasts", unless he's leveraging ARP cache poisoning or other tricks. Or he could manage to hack into a switch first to create his own SPAN sessions, that is :-)

(12 Apr '13, 03:25) Jasper ♦♦