The smtp protocol is basically like this:
S: 220 smtp.example.com ESMTP Postfix
C: HELO relay.example.org
S: 250 Hello relay.example.org, I am glad to meet you
C: MAIL FROM:<bob@example.org>
S: 250 Ok
C: RCPT TO:<alice@example.com>
S: 250 Ok
C: RCPT TO:<theboss@example.com>
S: 250 Ok
C: DATA
S: 354 End data with <CR><LF>.<CR><LF>
C: From: "Bob Example" <bob@example.org>
C: To: "Alice Example" <alice@example.com>
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 header fields and 4 lines in the message body.
C: Your friend,
C: Bob
C: .
S: 250 Ok: queue开发者_JAVA百科d as 12345
C: QUIT
S: 221 Bye
But when multiple mails are recieved it becomes more complicated
S: 220 smtp.example.com ESMTP Postfix
C: HELO relay.example.org
C: HELO relay.example.org
S: 250 Hello relay.example.org, I am glad to meet you
C: MAIL FROM:<bob@example.org>
S: 250 Ok
C: RCPT TO:<alice@example.com>
**C2: MAIL FROM:<charliebitme@example.org>**
S: 250 Ok
**C2: RCPT TO:<ouch@example.org>**
C: RCPT TO:<theboss@example.com>
S: 250 Ok
C: DATA
**C2: DATA2
C3: MAIL FROM:<foo@example.org>
C3: RCPT TO:<bar@example.com>**
S: 354 End data with <CR><LF>.<CR><LF>
**C3: DATA3**
C: From: "Bob Example" <bob@example.org>
C: To: "Alice Example" <alice@example.com>
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 header fields and 4 lines in the message body.
C: Your friend,
C: Bob
C: .
S: 250 Ok: queued as 12345
C: QUIT
S: 221 Bye
So how can I determine which data packet belongs to C , C1 , C2. Or who is sending mail to ouch@example.org using wireshark?
Try to create TCP (tcp.port, tcp.srcport or tcp.dstport) or IP (ip.addr, ip.src or ip.dst) filter. Using this kind of filters you should be able to extract only one connection.
精彩评论