This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capturing POP3

0

Hello! I am relatively new to wireshark, and I want to capture POP3 protocol. I am using ethernet, wireshark, and gmail or hotmail, however. The thing is I have tried many times to do that and there is no POP SMTP or IMAP filters to be shown in wireshark, when I type them in filter bar at the top, all I get is empty window. How can I manage to show those packets over the network??? Is there some security which I need to deactivate or something else???

asked 22 May '17, 12:23

Joy%20Boy's gravatar image

Joy Boy
6112
accept rate: 0%


One Answer:

0

Well, I assume you're accessing those mail servers via web browser? Or do you use a Mail client like Thunderbird? If you're using a web browser you wont see POP, SMTP or IMAP because it all is done over HTTPS.

answered 22 May '17, 12:25

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I have tried using thunderbird with my gmail account, and it still does not work, I have enabled untrusted apps in gmail, and all protocols are enabled in wireshark

(22 May '17, 12:28) Joy Boy

or I am using it the wrong way also I am running all with administrator permisssion

(22 May '17, 12:29) Joy Boy

but I did send mail over thunderbird, and the opened it via Firefox, could I possibly send mail over my phone and then open it via thunderbird, would it then work??

(22 May '17, 12:30) Joy Boy

Check ports that are used, maybe POP also uses the encrypted protocol versions. Running as admin isn't required by the way.

You can check if you have unencrypted POP3, IMAP and SMTP traffic by filtering for

tcp.port==25 or tcp.port==110 or tcp.port==143

If no packets are left, your mail program doesn't use the non encrypted ports. In that case check for encrypted ports:

tcp.port==465 or tcp.port==587 or tcp.port==993 or tcp.port==995

If those show packets, your communication is using the encrypted ports and you won't be able to read clear text.

(22 May '17, 12:53) Jasper ♦♦

I will post here, because now i have an image. Finally the tcp.port==995 managed to show some results. Now, is there anything useful which Ii can extract from this data. Clear text is not that much important, but the need for at least small portion of text is required...

(22 May '17, 13:26) Joy Boy

tcp.port==995 is what finally showed some results, as in the image posted below

(22 May '17, 13:26) Joy Boy

does the image need to be bigger...

(22 May '17, 13:27) Joy Boy

Thank You for the help!

(22 May '17, 13:27) Joy Boy

As you can see your communication is encrypted (TLS v1.2), so no clear text of any email. You'll need to find a mail server that still does unencrypted POP3, but for that you'll probably have to run your own server. All the big commercial ones are probably not offering that anymore.

(22 May '17, 13:28) Jasper ♦♦

Oh, well that puts some new implications on the process. But, sure, it would be good to check possibility of running personal version of some server. Thank You!!!

(22 May '17, 15:41) Joy Boy
showing 5 of 10 show 5 more comments