When I analyze POP packets with Wireshark, when I receive emails with Outlook, I can see USER and PASS commands with username and password transmitted unecrypted.
But if I try to get my emails with Thunderbird (without encryption), I CANNOT see in Wireshark USER and PASS commands, and for sure, no username and password !!
But there are new commands :
I don't understand why, is there a way to get them ??
asked 03 Feb '12, 13:56
the information is Base 64 encoded and can be decoded easily (but Wireshark does not do that for you). The strange output is due to null bytes being present in the decoded string. See RFC 2595  for more information.
echo "AGNsZW1lbnQuYm9ubmFsADJ4cgt0OQ==" | base64 -d clement.bonnal2xr t9
The plain authentication method only uses one command to transmit the credentials, unlike the login method which uses two commands(user,pass).
 http://www.fehcom.de/qmail/smtpauth.html  http://tools.ietf.org/html/rfc2595