Hi Mike,
No, if someone would be using a different port for email, then Wireshark will not decode it as SMTP or POP in the first place. (Because the dissection for these protocols is based on a port preference. Meaning that Wireshark will only decode the packets as POP/SMTP if the traffic goes over the well known port numbers for these protocols)
What you would need is some sort of heuristics that can identify POP/SMTP from the packet data itself, but i don' think Wireshark has that built in for the moment.
Otherwise, if your email is unencrypted, you might just as well want to filter on common plain-text email headers within the data portion of any TCP traffic.
regards,
Lars
________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Mike Dodson
Sent: mercredi 29 août 2012 00:49
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Capturing Email Traffic
I would like to monitor the email traffic in and out of our network to make sure that no one is using the incorrect ports. I need this information as I would like to setup a firewall rule that would only allow traffic to and from one specific server. I think I have found the answer to this question but so far no information has been captured yet.
When I start the capture and in the display filter I am using "pop or smtp" as the expression which should tell me when there is that type of traffic. Is this the correct way of doing this or is there a better way.
thanks for the help.
Mike