Ask Your Question

Dissector to parse smtp with specific content, but let normal smtp dissector handle it otherwise.

asked 2019-06-06 18:37:29 +0000

jlshuman gravatar image

updated 2019-06-11 17:12:45 +0000

I need to write a dissector that looks at all SMTP traffic searching for keywords. If the keywords are found, I want my dissector to handle it. If the keywords are not present, then let the regular smtp dissector handle it like usual.

edit retag flag offensive close merge delete


Is the "traffic" you're searching for keywords the SMTP protocol's commands and responses or the contents of the message being transferred?

Guy Harris gravatar imageGuy Harris ( 2019-06-06 20:43:53 +0000 )edit

The keywords are in the contents of the message being transferred. One of the keywords I'm looking for is MSGID. It is part of a message protocol called USMTF (United States Message Text Format) in case you know what that is.

jlshuman gravatar imagejlshuman ( 2019-06-11 16:57:30 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2019-06-11 21:08:13 +0000

Jaap gravatar image

Since the specific content is in the SMTP payload, you should look into the Internet Message Format (IMF). The dissector has settings for custom headers, maybe that can already do what you need.

edit flag offensive delete link more


The IMF dissector is called from the SMTP dissector. Is there a way that I can create a dissector to take the place of the IMF dissector without changing the call to it in the SMTP dissector? I don't want to have to build a custom Wireshark. I want to just add my own dissector (in a dll) that will replace the work done by the IMF dissector.

jlshuman gravatar imagejlshuman ( 2019-06-12 16:33:51 +0000 )edit

I don't think so, that's why I pointed to the custom headers you can set for the IMF dissector through its preferences.

Jaap gravatar imageJaap ( 2019-06-12 21:30:01 +0000 )edit

Is there some documentation somewhere that describes how to use Custom IMF headers?

jlshuman gravatar imagejlshuman ( 2019-06-18 15:35:27 +0000 )edit

answered 2019-06-12 03:18:01 +0000

Guy Harris gravatar image

I had the sneaking feeling the "M" could also stand for "Military". :-) (The "United States" in the specification name suggested it, as I suspect few other parts of the US government would want their own standard.)

According to the USMTF Wikipedia page, it is "is a Military Standard collection of information exchanges, currently defined in W3C XML Schema, which seeks to improve the interoperability of Joint military systems."

It's published as MIL-STD-6040 (and apparently it may also be a NATO standard, so other NATO countries may have their own versions). It doesn't appear to be easily available to non-military personnel.

It appears to be an XML-based text format, so it was presumably developed after the MIME specifications came out. If it's implemented atop the RFC 5322 Internet Message standard, plus the RFC 2045, RFC 2046, RFC 2047, RFC 2048, and RFC 2049 MIME specifications, with a particular media type being assigned to USMTF messages, then you could register a dissector in the "media_type" dissector table, with the media-type string value as the key.

If it's not encoded using the Internet Message Format + MIME, but there is some extension to SMTP that's used to negotiate USMTF, we'd have to add a mechanism to support that mechanism.

If there's no such extension, we'd have to add support for "heuristic" dissectors to look at message bodies and dissect them if they look like messages for that type; there is no such mechanism currently available in Wireshark.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-06-06 18:37:29 +0000

Seen: 44 times

Last updated: Jun 12