Hi all! I created an e-mail anti spam system and I need to test it against an anti spam product that I hired. I duplicated the port from where my e-mail's packages comes, so now my homemade system and the oficial product receive both the same packages. My system needs to "see" the entire e-mail in order to classify it. Now I'm running an offline test, so I captured all packages from this port with Wireshark. I used the filter tcp.srcport == 25 and exported to a txt file every package from this port. Now I have to make a program with some logic that group by sequencially all packages with text from an e-mail and recreate everyone of it manually. How can I make it easier with Wireshark? I mean, is there a way that I can get a complete e-mail without having to process the txt file in order to recreate package by package? I'm open to new ideas even if I'm using the wrong product to capture the packages. Thanks a lot! Kind Regards! asked 23 May '13, 09:48  Anthony |
One Answer:
Did you try using the "Follow TCP Stream" option from the popup menu? It should display the reassembly email content in readable format unless it is encrypted or packets are missing. answered 23 May '13, 11:27  Jasper ♦♦ That's exactly I'm looking for. Just one more doubt. I collected all packages during 10 minutes. The "Follow TCP Stream" allows me to reassembly email by email. How can I do that for like 100 000 packages and reassembly all emails at once? Many thanks! (28 May '13, 20:28) Anthony with a tool like xplico (http://www.xplico.org/ ) (28 May '13, 23:17) Kurt Knochner ♦ Ok,but can I reassembly all email at once with WireShark? (30 May '13, 20:16) Anthony |
That's exactly I'm looking for. Just one more doubt. I collected all packages during 10 minutes. The "Follow TCP Stream" allows me to reassembly email by email. How can I do that for like 100 000 packages and reassembly all emails at once?
Many thanks!