This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have used Wireshark in University a little bit when I was studying Computer security and forensics. But now that I am employed as a IT security officer my company is looking at implementing a email monitoring solution on our network.

Does anyone know if it's possible for Wireshark to perform the following task?

Filter all SMTP traffic within a set IP range and show the destination address and attachment format. But exclude the internal email address domain from the results.

Basically the purpose of this is because we have a policy in place that all emails containing attachments that are sent outside of the company must be encrypted using 7zip. Therefore we are keen to enforce this to prevent any leakage of sensitive information.

asked 09 Aug '11, 06:18

RogueViper's gravatar image

RogueViper
1111
accept rate: 0%


Wouldn't this be better handled by your email server, presuming you have an internal one that all users send their email to?

If you allow all users to directly transmit emails to some outside server then life will be more difficult.

permanent link

answered 09 Aug '11, 07:07

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Ok thanks. This is my first job in IT since graduating so I am on a massive learning curve. This is something my boss asked me to investigate. Thanks for the suggestion.

(09 Aug '11, 10:47) RogueViper

As @grahamb pointed out, it's better processed by email server with a plugin. In case you really need to process it at packet level, you may want to learn something basic on packet programming. More specifically

  • read packets using libpcap (or other equivalent)
  • Classify each (tcp) packets into the right TCP sessions.
  • Assemble the data for SMTP sessions and check MIME headers and perform your logic there.

You may find you really learned a lot about networking and you feel like a network expert :-)

permanent link

answered 27 Sep '16, 06:37

sharkfun's gravatar image

sharkfun
26559
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×34
×20

question asked: 09 Aug '11, 06:18

question was seen: 4,505 times

last updated: 27 Sep '16, 06:37

p​o​w​e​r​e​d by O​S​Q​A