Hello! I am relatively new to wireshark, and I want to capture POP3 protocol. I am using ethernet, wireshark, and gmail or hotmail, however. The thing is I have tried many times to do that and there is no POP SMTP or IMAP filters to be shown in wireshark, when I type them in filter bar at the top, all I get is empty window. How can I manage to show those packets over the network??? Is there some security which I need to deactivate or something else??? asked 22 May '17, 12:23 Joy Boy |
One Answer:
Well, I assume you're accessing those mail servers via web browser? Or do you use a Mail client like Thunderbird? If you're using a web browser you wont see POP, SMTP or IMAP because it all is done over HTTPS. answered 22 May '17, 12:25 Jasper ♦♦ showing 5 of 10 show 5 more comments |
I have tried using thunderbird with my gmail account, and it still does not work, I have enabled untrusted apps in gmail, and all protocols are enabled in wireshark
or I am using it the wrong way also I am running all with administrator permisssion
but I did send mail over thunderbird, and the opened it via Firefox, could I possibly send mail over my phone and then open it via thunderbird, would it then work??
Check ports that are used, maybe POP also uses the encrypted protocol versions. Running as admin isn't required by the way.
You can check if you have unencrypted POP3, IMAP and SMTP traffic by filtering for
If no packets are left, your mail program doesn't use the non encrypted ports. In that case check for encrypted ports:
If those show packets, your communication is using the encrypted ports and you won't be able to read clear text.
I will post here, because now i have an image. Finally the tcp.port==995 managed to show some results. Now, is there anything useful which Ii can extract from this data. Clear text is not that much important, but the need for at least small portion of text is required...
tcp.port==995 is what finally showed some results, as in the image posted below
does the image need to be bigger...
Thank You for the help!
As you can see your communication is encrypted (TLS v1.2), so no clear text of any email. You'll need to find a mail server that still does unencrypted POP3, but for that you'll probably have to run your own server. All the big commercial ones are probably not offering that anymore.
Oh, well that puts some new implications on the process. But, sure, it would be good to check possibility of running personal version of some server. Thank You!!!