Jump to content

Wireshark/SMTP

From Wikiversity

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Simple Mail Transfer Protocol (SMTP) traffic.

Readings

[edit | edit source]

Preparation

[edit | edit source]

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.
  4. Install the Telnet client.

Activity 1 - Capture SMTP Traffic

[edit | edit source]

To capture SMTP traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type telnet gmail-smtp-in.l.google.com 25 and press Enter. If this does not work, your ISP may be blocking outbound traffic on port 25. You can try telnet smtp.gmail.com 587 instead to generate SMTP traffic and then filter on port 587 in the next activity.
  4. Observe the server response.
  5. Type helo and press Enter.
  6. Observe the server response. Note that at this point you could enter mail, rcpt and data to send an SMTP message, but this only works on servers configured to allow clear text relay without authentication.
  7. Type quit and press Enter to close the connection.
  8. Observe the server response.
  9. Close the command prompt.
  10. Stop the Wireshark capture.

Activity 2 - Select Destination Traffic

[edit | edit source]

To select destination traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only SMTP traffic, type smtp (lower case) in the Filter box and press Enter.
  2. Select the first SMTP packet labeled 220 ....
  3. Observe the destination IP address.
  4. To view all related traffic for this connection, change the filter to ip.addr == <destination>, where <destination> is the destination address of the SMTP packet.

Activity 3 - Analyze TCP Connection Traffic

[edit | edit source]

To analyze TCP connection traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. The first three packets (TCP SYN, TCP SYN/ACK, TCP ACK) are the TCP three way handshake. Select the first packet.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the IP address of the SMTP server.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is a dynamic port selected for this HTTP connection.
  10. Observe the Destination port. Notice that it is smtp (25). Note that all of the packets for this connection will have matching MAC addresses, IP addresses, and port numbers.

Activity 4 - Analyze SMTP Service Ready Traffic

[edit | edit source]

To analyze SMTP Service Ready traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the fourth packet, which is the first SMTP packet and labeled 220 ....
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol / Hypertext Transfer Protocol frame. Also notice that the Ethernet II, Internet Protocol Version 4, and Transmission Control Protocol values are consistent with the TCP connection analyzed in Activity 3.
  4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
  5. Observe the Response code and Response parameter.
  6. Observe the traffic captured in the top Wireshark packet list pane.
  7. Select the fifth packet, labeled TCP ACK. This is the client TCP acknowledgement of receiving the Service Ready message.

Activity 5 - Analyze SMTP HELO Traffic

[edit | edit source]

To analyze SMTP HELO traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom Wireshark packet bytes pane carefully, you will see that the segments spell out the helo message. The sequence ends with a Wireshark-combined SMTP client helo message, followed by a server TCP acknowledgement.

Activity 6 - Analyze SMTP Completed Traffic

[edit | edit source]

To analyze SMTP Completed traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the following SMTP packet, labeled 250 ...
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
  5. Observe the Response code and Response parameter.

Activity 7 - Analyze SMTP QUIT Traffic

[edit | edit source]

To analyze SMTP QUIT traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the following TCP segments and acknowledgements. If you observe the packet details in the bottom Wireshark packet bytes pane carefully, you will see that the segments spell out the quit message. The sequence ends with a Wireshark-combined SMTP client quit message, followed by a server TCP acknowledgement.

Activity 8 - Analyze SMTP Closing Traffic

[edit | edit source]

To analyze SMTP Closing traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane.
  2. Select the following SMTP packet, labeled 221 ...
  3. Observe the packet details in the middle Wireshark packet details pane.
  4. Expand Simple Mail Transfer Protocol and Response to view SMTP details.
  5. Observe the Response code and Response parameter.
  6. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References

[edit | edit source]