Ask Your Question

tshark smtp filter decode.

asked 2018-06-04 20:52:48 +0000

Will DB gravatar image

The Wireshark filter smtp.auth.username does great. The Info column shows the readable username. The same filter in tshark does not interpret the base64 packet content. How can I make it do that?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-06-04 21:39:29 +0000

cmaynard gravatar image

Pass -o smtp.decryption:TRUE to tshark.

Example without the option:

tshark -T fields -e frame.number -e smtp.auth.username -Y smtp.auth.username -r crim.pcap
63      c25lYWt5ZzMza0Bhb2wuY29t
123     c25lYWt5ZzMza0Bhb2wuY29t

Example with the option:

tshark -o smtp.decryption:TRUE -T fields -e frame.number -e smtp.auth.username -Y smtp.auth.username -r crim.pcap
63      [email protected]
123     [email protected]
edit flag offensive delete link more


Perfect! Exactly what I needed! Thanks!

Will DB gravatar imageWill DB ( 2018-06-04 21:48:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-06-04 20:52:48 +0000

Seen: 261 times

Last updated: Jun 04 '18