This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I'm trying to see email address with regular expression from a specific source IP that is doing spam from the corporate office.

I m using EnCase Software for data analysis and I need to create a full listing email and IP destination.

Is there a way to capture frame who contains Email Address and to see them in a column ?

I'm using tis command : ip.src==192.168.217.128/24 frame contains "mailto:" but I would like to use regex to catch the destination email target

I'm using those regex for the email but I do not know how to input them in Wireshark :

\b[A-Z0-9._%+-][email protected][A-Z0-9.-]+.[A-Z]{2,4}\b

[a-z#~.!#$%\^&*()-][email protected][a-z#-]+.(com)|(biz)|(de)|(edu)|(gov)|(info)|(mil)|(net)|(org)|(tv)|(uk)|(jp)

[a-z#~.!#$%\^&*()-][email protected][a-z#-]+.[a-z#_-.]+

[a-z0-9!#$%&'+/=?^{|}~-]+(?:.[a-z0-9!#$%&'*+/=?^{|}~-]+)@(?:a-z0-9?.)+a-z0-9?

Is there anybody who could help me please ? thx

http://imagebin.org/256053 http://imagebin.org/256054 http://imagebin.org/256056

asked 02 May '13, 01:06

arnaud68fr's gravatar image

arnaud68fr
11114
accept rate: 0%


Your question is really off-topic on this site, as we are discussing Wireshark issues here and not Encase product configuration issues.

I'm sure you have a valid license and thus your are entitled to call the Encase support hotline regarding any product configuration issues.

http://www.guidancesoftware.com/customer-service.htm

Regards
Kurt

permanent link

answered 02 May '13, 04:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Why creating a forum if I m not allow to post question ?? This is not a encase problem (cause I have some answer with encase) I need to give answer in real time for my company ? This is a law problem, I have to give information about a user who is doing sex spam.

I think that my question is not out of topic !! but reality for french law's in enterprise.

(02 May '13, 04:24) arnaud68fr
1

Why creating a forum if I m not allow to post question ??

well, you are allowed to post a question. In fact I'm currently answering your question.

I'm using those regex for the email but I do not know how to input them in Wireshark :

As you are asking for a Wireshark regexp, here we go.

Pleas use this Display filter.

ip.addr eq x.x.x.x and frame matches "[A-Za-z0-9+-_%][email protected]([A-Za-z0-9-]+\.)+[A-Za-z0-9-]+"

The regexp may not be perfect, but it will match everything that looks like an e-mail address

[email protected]

As you don't know how the domain looks like (could be [email protected]) I did not restrict the length of the pattern, which might also then match to something that is not a valid domain/host name.

(02 May '13, 05:02) Kurt Knochner ♦

If you want to match packets that contain the whole string, you can use:

frame matches "[A-Z0-9._%+-][email protected][A-Z0-9.-]+.[A-Z]{2,4}"

However, the whole string can be split accross packets which the filter does not catch. Over what protocols do you expect the email addresses to be sent? Http? If so, make sure you have reassembly enabled and then use the filter:

http matches "[A-Z0-9._%+-][email protected][A-Z0-9.-]+.[A-Z]{2,4}"

But other tools might be a better choice in your case.

permanent link

answered 02 May '13, 04:43

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Dear Kurt and SYN-bit,

Thanks a lot for your help, it's working fine.

Best regards,

Arnaud

(02 May '13, 08:59) arnaud68fr
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×10
×2

question asked: 02 May '13, 01:06

question was seen: 3,232 times

last updated: 02 May '13, 09:35

p​o​w​e​r​e​d by O​S​Q​A