This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HELP! Capturing an entire e-mail using Wireshark

0

Hi all! I created an e-mail anti spam system and I need to test it against an anti spam product that I hired. I duplicated the port from where my e-mail's packages comes, so now my homemade system and the oficial product receive both the same packages. My system needs to "see" the entire e-mail in order to classify it. Now I'm running an offline test, so I captured all packages from this port with Wireshark. I used the filter tcp.srcport == 25 and exported to a txt file every package from this port. Now I have to make a program with some logic that group by sequencially all packages with text from an e-mail and recreate everyone of it manually. How can I make it easier with Wireshark? I mean, is there a way that I can get a complete e-mail without having to process the txt file in order to recreate package by package? I'm open to new ideas even if I'm using the wrong product to capture the packages. Thanks a lot! Kind Regards!

asked 23 May '13, 09:48

Anthony's gravatar image

Anthony
11113
accept rate: 0%

That's exactly I'm looking for. Just one more doubt. I collected all packages during 10 minutes. The "Follow TCP Stream" allows me to reassembly email by email. How can I do that for like 100 000 packages and reassembly all emails at once?

Many thanks!

(28 May '13, 20:28) Anthony

One Answer:

1

Did you try using the "Follow TCP Stream" option from the popup menu? It should display the reassembly email content in readable format unless it is encrypted or packets are missing.

answered 23 May '13, 11:27

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

That's exactly I'm looking for. Just one more doubt. I collected all packages during 10 minutes. The "Follow TCP Stream" allows me to reassembly email by email. How can I do that for like 100 000 packages and reassembly all emails at once?

Many thanks!

(28 May '13, 20:28) Anthony

with a tool like xplico (http://www.xplico.org/ )

(28 May '13, 23:17) Kurt Knochner ♦

Ok,but can I reassembly all email at once with WireShark?

(30 May '13, 20:16) Anthony