capturing email with Wireshark

exampasser

I got bored today so I played around with Wireshark to see if I could capture some of my own emails. I opened up my email client and sent myself an email. I looked on Wireshark and it apparently did capture it, but its not in plaintext form (tried searching for words that I placed in my test email with no results). The TCP stream of packets that's related to email appear to be in imaps form. Is it normal for regular email messages to not be sent in plaintext form?

shaqazoolu

If it was regular IMAP it would be in clear text. IMAPS runs over SSL and is therefore encrypted.

dynamik

Yep. You can decrypted SSL-based communications (HTTPS, IMAPS, etc.) in Wireshark, but you need to supply the cert/key.

powerfool

Also, Outlook/Exchange connectivity is not clear text, either. If you are looking for plain-text, you will need to make sure protocols being used are those like HTTP, POP3, IMAP, and SMTP. Keep in mind, traffic between servers is almost always SMTP and will be unencrypted. This is where PGP comes into play for protecting your own messages, end-to-end.

exampasser

powerfool wrote: »

Also, Outlook/Exchange connectivity is not clear text, either. If you are looking for plain-text, you will need to make sure protocols being used are those like HTTP, POP3, IMAP, and SMTP. Keep in mind, traffic between servers is almost always SMTP and will be unencrypted. This is where PGP comes into play for protecting your own messages, end-to-end.

I was using an exchange account, I'll try one of my gmail accounts (using my email client, not the web interface).

exampasser

Darn, I just looked in account settings for both my exchange account and gmail account and they both use ssl, tried to use "none" for connection security but it can't connect to the IMAP server.

Lesson learned: use an email account that does not require the use of ssl when trying to capture email messages with Wireshark.

Pash

A better test for you today is just use msn messenger and then you will see all of your unicast messages from your NIC adapater in clear text

exampasser

Pash wrote: »

A better test for you today is just use msn messenger and then you will see all of your unicast messages from your NIC adapater in clear text

I"ll try that

it_consultant

powerfool wrote: »

Also, Outlook/Exchange connectivity is not clear text, either. If you are looking for plain-text, you will need to make sure protocols being used are those like HTTP, POP3, IMAP, and SMTP. Keep in mind, traffic between servers is almost always SMTP and will be unencrypted. This is where PGP comes into play for protecting your own messages, end-to-end.

This not not entirely true. Most SMTP servers nowadays offer TLS connections to the recipient server. I looked through our logs and very few outgoing messages from my server are unencrypted.