This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Email attachment filter question?

0

I have used Wireshark in University a little bit when I was studying Computer security and forensics. But now that I am employed as a IT security officer my company is looking at implementing a email monitoring solution on our network.

Does anyone know if it's possible for Wireshark to perform the following task?

Filter all SMTP traffic within a set IP range and show the destination address and attachment format. But exclude the internal email address domain from the results.

Basically the purpose of this is because we have a policy in place that all emails containing attachments that are sent outside of the company must be encrypted using 7zip. Therefore we are keen to enforce this to prevent any leakage of sensitive information.

asked 09 Aug '11, 06:18

RogueViper's gravatar image

RogueViper
1111
accept rate: 0%


2 Answers:

0

Wouldn't this be better handled by your email server, presuming you have an internal one that all users send their email to?

If you allow all users to directly transmit emails to some outside server then life will be more difficult.

answered 09 Aug '11, 07:07

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Ok thanks. This is my first job in IT since graduating so I am on a massive learning curve. This is something my boss asked me to investigate. Thanks for the suggestion.

(09 Aug '11, 10:47) RogueViper

0

As @grahamb pointed out, it's better processed by email server with a plugin. In case you really need to process it at packet level, you may want to learn something basic on packet programming. More specifically

  • read packets using libpcap (or other equivalent)
  • Classify each (tcp) packets into the right TCP sessions.
  • Assemble the data for SMTP sessions and check MIME headers and perform your logic there.

You may find you really learned a lot about networking and you feel like a network expert :-)

answered 27 Sep '16, 06:37

sharkfun's gravatar image

sharkfun
26559
accept rate: 0%