SMTP: Simple Mail Transport Protocol
data carving layer 7 mail SMTP
Introduction
This tutorial discusses the plugin smtpDecode.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow tcpStates smtppDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: faf-exercise.pcap (Source: Bro).
Please save it in your ~/data folder.
Now you are all set for analyzing SMTP traffic!
smtpDecode
Let’s look at the plugin configuration first:
smtpDecode
vi src/smtpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define SMTP_SAVE 0 // save content to SMTP_F_PATH
#define SMTP_BTFLD 0 // Bitfield coding of SMTP commands
#define SMTP_RCTXT 1 // 1: print response code text
#define SMTP_MXNMLN 70 // maximal name length
#define SMTP_MXUNMLN 25 // maximal user length
#define SMTP_MXPNMLN 15 // maximal PW length
#define SMTP_MAXCNM 8 // maximal number of rec,trans codes
#define SMTP_MAXUNM 5 // maximal number of Users
#define SMTP_MAXPNM 5 // maximal number of PWs
#define SMTP_MAXSNM 8 // maximal number of server addresses
#define SMTP_MAXRNM 8 // maximal number of rec EMail addresses
#define SMTP_MAXTNM 8 // maximal number of trans EMail addresses
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define SMTP_RMDIR 1 // empty SMTP_F_PATH before starting (require SMTP_SAVE=1)
#define SMTP_F_PATH "/tmp/SMTPFILES/" // Path for extracted content
#define SMTP_NONAME "nudel" // no name file name
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Run t2 on the supplied pcap.
t2 -r ~/data/ -w ~/results/ -s
tawk -V smtpStat=0x01
Data carving with smtpDecode
Switch on SMTP_SAVE, recompile, rerun T2 and move into /tmp/SMTPFILES
t2conf smtpDecode -D SMTP_SAVE=1 && t2build smtpDecode
t2 -r ~/data/faf-exercise.pcap -w ~/results
================================================================================
Tranalyzer 0.9.0(Anteater), Tarantula. PID: 22585
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.9.0
02: tcpStates, 0.9.0
03: smtpDecode, 0.9.0
05: txtSink, 0.9.0
...
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x4a
smtpDecode: Number of SMTP packets: 894 [15.15%]
smtpDecode: Number of SMTP files: 3
--------------------------------------------------------------------------------
...
smtpDecode reports three mail files. Let’s have first a look at the SMTP flows.
tawk 'strtonum($smtpStat) || hdr()' ~/results/faf-exercise_flows.txt | tcol
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tcpStates smtpStat smtpCC smtpRC smtpUsr smtpPW smtpSANum smtpESANum smtpERANum smtpSA smtpESA smtpERA httpStat httpAFlags httpMethods httpHeadMimes httpCFlags httpGet_Post httpRSCnt httpRSCode httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim httpImg_Vid_Aud_Msg_Txt_App_Unk httpHosts httpURL httpMimes httpCookies httpImages httpVideos httpAudios httpMsgs httpAppl httpText httpPunk httpBdyURL httpUsrAg httpXFor httpRefrr httpVia httpLoc httpServ httpPwr
A 12 0x0400000000004000 1258563573.941668 1258563576.594009 2.652341 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1397 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 12 0x0400000000004001 1258563573.941709 1258563576.594045 2.652336 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1397 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 13 0x0400000000004000 1258565030.304653 1258565030.420837 0.116184 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1749 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 13 0x0400000000004001 1258565030.304696 1258565030.420877 0.116181 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1749 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 14 0x0400000000004000 1258565174.919134 1258565175.037809 0.118675 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1755 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 14 0x0400000000004001 1258565174.919179 1258565175.037828 0.118649 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1755 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 15 0x0400000000004000 1258565820.302090 1258565821.898589 1.596499 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49218 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 15 0x0400000000004001 1258565820.302128 1258565821.898612 1.596484 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49218 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 16 0x0400000000004000 1258565880.189257 1258565880.212242 0.022985 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49219 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 16 0x0400000000004001 1258565880.189338 1258565880.212279 0.022941 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49219 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 17 0x0400000000004000 1258566050.124592 1258566050.238771 0.114179 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49220 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 17 0x0400000000004001 1258566050.124650 1258566050.238828 0.114178 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49220 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 18 0x0400000000004000 1258566123.706408 1258566123.739652 0.033244 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1806 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 18 0x0400000000004001 1258566123.706462 1258566123.739692 0.033230 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1806 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 19 0x0400000000004000 1258567109.383510 1258567113.574618 4.191108 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1400 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 19 0x0400000000004001 1258567109.383558 1258567113.574642 4.191084 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1400 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 20 0x0400000000004000 1258567248.261596 1258567248.374768 0.113172 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1404 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 20 0x0400000000004001 1258567248.261635 1258567248.374809 0.113174 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1404 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 21 0x0400000000004000 1258567289.262109 1258567289.283592 0.021483 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1405 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 21 0x0400000000004001 1258567289.262156 1258567289.283642 0.021486 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1405 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 22 0x0400000000004000 1258567757.457759 1258567757.572930 0.115171 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49336 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 22 0x0400000000004001 1258567757.457805 1258567757.572984 0.115179 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49336 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 23 0x0400000000004000 1258568036.508358 1258568036.620287 0.111929 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49353 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 23 0x0400000000004001 1258568036.508400 1258568036.620325 0.111925 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49353 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 24 0x0400000000004000 1258568059.128662 1258568059.160656 0.031994 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1836 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 24 0x0400000000004001 1258568059.128711 1258568059.160696 0.031985 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1836 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 25 0x0400000000004000 1258568667.549041 1258568667.662968 0.113927 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1709 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 25 0x0400000000004001 1258568667.549083 1258568667.662999 0.113916 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1709 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 26 0x0400000000004000 1258568738.108255 1258568738.141234 0.032979 1 3 eth:ipv4:tcp 00:08:74:38:01:b4 00:19:e3:e7:5d:23 0x0800 192.168.1.105 07 "Private network" 49561 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "M57Terry" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 26 0x0400000000004001 1258568738.108301 1258568738.141266 0.032965 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:08:74:38:01:b4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.105 07 "Private network" 49561 6 0x00 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 27 0x0400000000004000 1258574141.027462 1258574141.466197 0.438735 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1572 192.168.1.1 07 "Private network" 25 6 0x00 0x11 EHLO;MAIL;RCPT;DATA;QUIT 1 1 1 "[192.168.1.104]" "charlie@m57.biz_0_27" "pat@m57.biz" 0x0000 0x0000 0x00 0x0040 0x0010 0_0 0 0_0_0_0_0_1_0_0_0_1 0_0_0_0_1_0_0 "text/plain" "nudel_0_27_5_0" "Thunderbird 2.0.0.23 (Windows/20090812)"
B 27 0x0400000000004001 1258574141.027497 1258574141.466226 0.438729 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1572 6 0x00 0x01 220;250;354;221 7 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as 3B2C92AF471";"221 2.0.0 Bye" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 28 0x0400000000004000 1258577484.692600 1258577484.971674 0.279074 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1604 192.168.1.1 07 "Private network" 25 6 0x00 0x11 EHLO;MAIL;RCPT;DATA;QUIT 1 1 1 "[192.168.1.104]" "charlie@m57.biz_0_28" "pat@m57.biz" 0x0000 0x0000 0x00 0x0040 0x0010 0_0 0 0_0_0_0_0_1_0_0_0_1 0_0_0_0_1_0_0 "text/plain" "nudel_0_28_5_0" "Thunderbird 2.0.0.23 (Windows/20090812)"
B 28 0x0400000000004001 1258577484.692644 1258577484.971707 0.279063 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1604 6 0x00 0x01 220;250;354;221 7 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as BF9192AF931";"221 2.0.0 Bye" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 29 0x0400000000004000 1258577840.949762 1258577841.204606 0.254844 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1665 192.168.1.1 07 "Private network" 25 6 0x00 0x11 EHLO;MAIL;RCPT;DATA;QUIT 1 1 1 "[192.168.1.104]" "charlie@m57.biz_0_29" "alix.pery@yahoo.com" 0x0000 0x0000 0x00 0x0040 0x0010 0_0 0 0_0_0_0_0_1_0_0_0_1 0_0_0_0_1_0_0 "text/plain" "nudel_0_29_5_0" "Thunderbird 2.0.0.23 (Windows/20090812)"
B 29 0x0400000000004001 1258577840.949804 1258577841.204644 0.254840 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.104 07 "Private network" 1665 6 0x00 0x01 220;250;354;221 7 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as 0B4782AF94B";"221 2.0.0 Bye" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 30 0x0400000000004000 1258581757.587843 1258581758.358872 0.771029 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 1934 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 30 0x0400000000004001 1258581757.587891 1258581758.358901 0.771010 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 1934 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 31 0x0400000000004000 1258582107.588230 1258582108.822693 1.234463 1 3 eth:ipv4:tcp 00:0b:db:63:5b:d4 00:19:e3:e7:5d:23 0x0800 192.168.1.103 07 "Private network" 2008 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57pat" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 31 0x0400000000004001 1258582107.588266 1258582108.822724 1.234458 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:5b:d4 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.103 07 "Private network" 2008 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
A 32 0x0400000000004000 1258583614.298059 1258583615.323171 1.025112 1 3 eth:ipv4:tcp 00:0b:db:63:58:a6 00:19:e3:e7:5d:23 0x0800 192.168.1.102 07 "Private network" 1911 192.168.1.1 07 "Private network" 25 6 0x00 0x01 EHLO 1 0 0 "m57jo" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0
B 32 0x0400000000004001 1258583614.298161 1258583615.323218 1.025057 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:63:58:a6 0x0800 192.168.1.1 07 "Private network" 25 192.168.1.102 07 "Private network" 1911 6 0x08 0x01 220;250 3 0 0 "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS" 0x0000 0x0000 0x00 0x0000 0x0010 0_0 0 0_0_0_0_0_0_0_0_0_0 0_0_0_0_0_0_0You can see now all vital mail communication aggregated in a flow based aggregation. If you want to read emails look into the /tmp/ folder and open a file.
ls /tmp/SMTPFILES
charlie@m57.biz_0_27 charlie@m57.biz_0_28 charlie@m57.biz_0_29
cat /tmp/SMTPFILES/charlie@m57.biz_0_27
Message-ID: <4B0451D7.6080508@m57.biz>
Date: Wed, 18 Nov 2009 11:58:15 -0800
From: Charlie <charlie@m57.biz>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Pat McGoo <pat@m57.biz>
Subject: Re: COFFEE
References: <98CC40FE46EA4F9CB82A95B0E7634C9A@m57pat>
In-Reply-To: <98CC40FE46EA4F9CB82A95B0E7634C9A@m57pat>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Pat McGoo wrote:
> Charlie, Terry,
>
> just checking up on your preferences for coffee - jo is going
> shopping tomorrow, let us know what you want.
>
> Jo, I like my coffee cinnamon apple flavor with just a whisper of
> cream - be sure to get the heavy whipping cream, NOT the half and
> half. See if they have any of those nice pumpkin muffins, too.
>
> Pat
Can I just get hot chocolate instead? I like the little sprinkles and
whipped cream with it.
.
QUITAlso for smtpDecode all extracted filenames have the flowIndex attached
to correlate flows with the extracted files.
Filename_Flow-Dir(0/1)_findex
Look also under the other folders extracted from httpSniffer.
And you see that there is ESMTP, so the handshake for encrypted communication. Maybe you want to know more about it. Look into sslDecode tutorial.
Conclusion
Don’t forget to reset the configuration for other tutorials:
t2conf smtpDecode -D SMTP_SAVE=0 && t2build smtpDecode
Or reset all plugins and the core to default configuration:
t2conf --reset -a
Play a bit around with the other extracting plugins and your own traffic.
Have fun!