Analyzing SMTP attachments with WireShark

Posted on 2010-09-21
Last Modified: 2012-06-27
I use Wireshark to capture network traffic.  I can use Wireshark to view files transferred over http and I can even follow the stream of an SMTP comunication from one server to another.  I have found a way to manually copy and decode a file attachment sent with an smtp email.  

My question is, is there a way to do this automatically, given a capture file or live?  My company is suspicious of corporate espionage and we believe someone is sending emails with confidential information.
Question by:tspeicher
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2

Accepted Solution

bjove earned 250 total points
ID: 33728722
You can try xplico:

Author Comment

ID: 33728890
Looks like a nice package, but it only runs on Ubuntu?  

Author Comment

ID: 33728906
Sorry didn't look hard enough?
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Expert Comment

ID: 33780418
Are you interested in statistics like the number of messages and end points of those messages? You can track destinations of messages and dashboard to get a view. Software that tackles this problem tends to cost $$$. Not sure what your budget is.

Author Comment

ID: 33785267
I am looking to reassemble emails from the wireshark capture file.  I can do it manually, including grabbing the attachments and decoding them and naming them with the original name.  But I want something that will decode all of the emails contained in a capture file.

Author Comment

ID: 33834017
I was looking for a Windows based solution.  But I guess I'm out of luck.

Assisted Solution

JoeBologna earned 250 total points
ID: 33854695
You can try ApplicationVantage by Compuware. This will take the capture file and give you a thread level view for each email communication. Is it all clear text over the wire? The one down side is that this is turn on/off technology with no monitoring capability. It's a transaction profiling tool. I used this tool to traige many customers in the past and it saves the day when problems are on the plate.

Author Comment

ID: 33963964
Thanks for your info.

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Read about achieving the basic levels of HRIS security in the workplace.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question