How to Search and Filter SMTP Traffic by Info Column in Wireshark


1 views

When analyzing SMTP traffic in Wireshark, the Info column provides crucial details about each packet's purpose. This includes commands like EHLO, MAIL FROM, RCPT TO, and message data. While browsing sorted packets works for small captures, larger captures demand more efficient search methods.

Wireshark offers two primary ways to search packet data:

1. Press Ctrl+F (or Edit → Find Packet)
2. Select "Packet list" and "String" search options

To specifically search the Info column for SMTP addresses:

1. Click any SMTP packet
2. In the filter bar, enter: smtp contains "user@domain.com"
3. For message content: smtp.data.fragment contains "keyword"

For precise SMTP traffic analysis, these display filters prove valuable:

// Find all MAIL FROM commands
smtp.req.command == "MAIL" && smtp.req.parameter contains "@"

// Locate specific recipient addresses  
smtp.req.command == "RCPT" && smtp.req.parameter contains "target@company.com"

// Search for message subjects
smtp contains "Subject: Important Alert"

// Combine with TCP filters for specific conversations
tcp.stream eq 5 && smtp

For frequent SMTP analysis, create dedicated columns:

1. Right-click any SMTP command field
2. Select "Apply as Column"
3. For email addresses: Use the smtp.req.parameter field
4. For status codes: Use smtp.response.code

For command-line processing of large captures:

tshark -r smtp_capture.pcap -Y 'smtp contains "urgent@domain.org"' -T fields -e frame.number -e smtp.req.parameter

// Output sample:
// 42  MAIL FROM:<sender@example.com>
// 45  RCPT TO:<urgent@domain.org>

When searches return unexpected results:

  1. Verify the SMTP dissection is working (View → Internals → Supported Protocols)
  2. Check for TCP segmentation issues (Edit → Preferences → Protocols → TCP)
  3. Try alternative filters like frame contains "user@domain" for raw searches

When analyzing SMTP traffic in Wireshark, the Info column displays crucial message details including sender/recipient addresses and message subjects. However, manually browsing through thousands of packets becomes inefficient for specific searches.

The most efficient method uses display filters with the smtp protocol filter and string matching:

smtp contains "target@domain.com"

For case-sensitive searches:

smtp matches "Target@Domain\\.com"

Target specific SMTP fields for precise searching:

smtp.req.parameter contains "MAIL FROM"
smtp.response.argument matches "250.*accepted"

When you need to search raw packet content (including unparsed SMTP data):

frame contains "urgent meeting"

Combine with protocol filtering:

tcp.port == 25 && frame contains "confidential"

For recurring analysis, create dedicated columns:

  1. Right-click an SMTP field in the packet details
  2. Select "Apply as Column"
  3. Now you can sort/filter the new column

To trace a complete SMTP conversation including envelope and headers:

smtp contains "message-id: <202405151200.ABC123@company.com>"

Combine with TCP stream tracking:

tcp.stream eq 42 && smtp

For complex pattern matching in SMTP traffic:

smtp matches "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"