This is our old Q&A Site. Please post any new questions and answers at


I'm trying to see email address with regular expression from a specific source IP that is doing spam from the corporate office.

I m using EnCase Software for data analysis and I need to create a full listing email and IP destination.

Is there a way to capture frame who contains Email Address and to see them in a column ?

I'm using tis command : ip.src== frame contains "mailto:" but I would like to use regex to catch the destination email target

I'm using those regex for the email but I do not know how to input them in Wireshark :

\b[A-Z0-9._%+-][email protected][A-Z0-9.-]+.[A-Z]{2,4}\b

[a-z#~.!#$%\^&*()-][email protected][a-z#-]+.(com)|(biz)|(de)|(edu)|(gov)|(info)|(mil)|(net)|(org)|(tv)|(uk)|(jp)

[a-z#~.!#$%\^&*()-][email protected][a-z#-]+.[a-z#_-.]+


Is there anybody who could help me please ? thx

asked 02 May '13, 01:06

arnaud68fr's gravatar image

accept rate: 0%

Your question is really off-topic on this site, as we are discussing Wireshark issues here and not Encase product configuration issues.

I'm sure you have a valid license and thus your are entitled to call the Encase support hotline regarding any product configuration issues.


permanent link

answered 02 May '13, 04:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

Why creating a forum if I m not allow to post question ?? This is not a encase problem (cause I have some answer with encase) I need to give answer in real time for my company ? This is a law problem, I have to give information about a user who is doing sex spam.

I think that my question is not out of topic !! but reality for french law's in enterprise.

(02 May '13, 04:24) arnaud68fr

Why creating a forum if I m not allow to post question ??

well, you are allowed to post a question. In fact I'm currently answering your question.

I'm using those regex for the email but I do not know how to input them in Wireshark :

As you are asking for a Wireshark regexp, here we go.

Pleas use this Display filter.

ip.addr eq x.x.x.x and frame matches "[A-Za-z0-9+-_%][email protected]([A-Za-z0-9-]+\.)+[A-Za-z0-9-]+"

The regexp may not be perfect, but it will match everything that looks like an e-mail address

[email protected]

As you don't know how the domain looks like (could be [email protected]) I did not restrict the length of the pattern, which might also then match to something that is not a valid domain/host name.

(02 May '13, 05:02) Kurt Knochner ♦

If you want to match packets that contain the whole string, you can use:

frame matches "[A-Z0-9._%+-][email protected][A-Z0-9.-]+.[A-Z]{2,4}"

However, the whole string can be split accross packets which the filter does not catch. Over what protocols do you expect the email addresses to be sent? Http? If so, make sure you have reassembly enabled and then use the filter:

http matches "[A-Z0-9._%+-][email protected][A-Z0-9.-]+.[A-Z]{2,4}"

But other tools might be a better choice in your case.

permanent link

answered 02 May '13, 04:43

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Dear Kurt and SYN-bit,

Thanks a lot for your help, it's working fine.

Best regards,


(02 May '13, 08:59) arnaud68fr
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 02 May '13, 01:06

question was seen: 3,610 times

last updated: 02 May '13, 09:35

p​o​w​e​r​e​d by O​S​Q​A