This is our old Q&A Site. Please post any new questions and answers at

Hello! I am relatively new to wireshark, and I want to capture POP3 protocol. I am using ethernet, wireshark, and gmail or hotmail, however. The thing is I have tried many times to do that and there is no POP SMTP or IMAP filters to be shown in wireshark, when I type them in filter bar at the top, all I get is empty window. How can I manage to show those packets over the network??? Is there some security which I need to deactivate or something else???

asked 22 May '17, 12:23

Joy%20Boy's gravatar image

Joy Boy
accept rate: 0%

Well, I assume you're accessing those mail servers via web browser? Or do you use a Mail client like Thunderbird? If you're using a web browser you wont see POP, SMTP or IMAP because it all is done over HTTPS.

permanent link

answered 22 May '17, 12:25

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

I have tried using thunderbird with my gmail account, and it still does not work, I have enabled untrusted apps in gmail, and all protocols are enabled in wireshark

(22 May '17, 12:28) Joy Boy

or I am using it the wrong way also I am running all with administrator permisssion

(22 May '17, 12:29) Joy Boy

but I did send mail over thunderbird, and the opened it via Firefox, could I possibly send mail over my phone and then open it via thunderbird, would it then work??

(22 May '17, 12:30) Joy Boy

Check ports that are used, maybe POP also uses the encrypted protocol versions. Running as admin isn't required by the way.

You can check if you have unencrypted POP3, IMAP and SMTP traffic by filtering for

tcp.port==25 or tcp.port==110 or tcp.port==143

If no packets are left, your mail program doesn't use the non encrypted ports. In that case check for encrypted ports:

tcp.port==465 or tcp.port==587 or tcp.port==993 or tcp.port==995

If those show packets, your communication is using the encrypted ports and you won't be able to read clear text.

(22 May '17, 12:53) Jasper ♦♦

I will post here, because now i have an image. Finally the tcp.port==995 managed to show some results. Now, is there anything useful which Ii can extract from this data. Clear text is not that much important, but the need for at least small portion of text is required...

(22 May '17, 13:26) Joy Boy

tcp.port==995 is what finally showed some results, as in the image posted below

(22 May '17, 13:26) Joy Boy

does the image need to be bigger...

(22 May '17, 13:27) Joy Boy

Thank You for the help!

(22 May '17, 13:27) Joy Boy

As you can see your communication is encrypted (TLS v1.2), so no clear text of any email. You'll need to find a mail server that still does unencrypted POP3, but for that you'll probably have to run your own server. All the big commercial ones are probably not offering that anymore.

(22 May '17, 13:28) Jasper ♦♦

Oh, well that puts some new implications on the process. But, sure, it would be good to check possibility of running personal version of some server. Thank You!!!

(22 May '17, 15:41) Joy Boy
showing 5 of 10 show 5 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 22 May '17, 12:23

question was seen: 8,884 times

last updated: 22 May '17, 15:41

p​o​w​e​r​e​d by O​S​Q​A