Ask Your Question

tshark smtp filter decode.

asked 2018-06-04 20:52:48 +0000

The Wireshark filter smtp.auth.username does great. The Info column shows the readable username. The same filter in tshark does not interpret the base64 packet content. How can I make it do that?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-06-04 21:39:29 +0000

cmaynard gravatar image

Pass -o smtp.decryption:TRUE to tshark.

Example without the option:

tshark -T fields -e frame.number -e smtp.auth.username -Y smtp.auth.username -r crim.pcap
63      c25lYWt5ZzMza0Bhb2wuY29t
123     c25lYWt5ZzMza0Bhb2wuY29t

Example with the option:

tshark -o smtp.decryption:TRUE -T fields -e frame.number -e smtp.auth.username -Y smtp.auth.username -r crim.pcap
63      [email protected]
123     [email protected]
edit flag offensive delete link more


Perfect! Exactly what I needed! Thanks!

Will DB gravatar imageWill DB ( 2018-06-04 21:48:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-06-04 20:52:48 +0000

Seen: 240 times

Last updated: Jun 04 '18