PAS-20: Mail Handling

Issue Information

Issue Type: New Feature
Priority: Major
Status: Open

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Unresolved
Affects Version: 0.1,
Target version: 0.1,
Labels: Mail, SMTP,

Created: 2015-11-27 12:41:55
Time Spent Working
90 minutes
90 minutes
0 minutes

TLS connections to mail servers are already captured, but plaintext aren't.

I haven't decided yet on exactly what information should be extracted, but a starting point would be to start building something similar to webtraffic.csv so there's a record of which mailservers were connected to (and EHLO names etc)

PAS-15 is interested in extracting SMTP Plain authentication strings, so it'd be helpful if the tempfile also included those somehow, as it'd save doing a seperate tshark run.

Issue Links

Toggle State Changes


btasker added 'Mail SMTP' to labels
I've implemented a fairly basic transaction list of all SMTP commands seen. The new CSV - mailtransactions.csv - is currently pretty SMTP specific, so may need some tweaking once POP3 and IMAP are added.

Repo: PCAPAnalyseandReport
Commit: 76d046483851fd6ca2d2e0c1b195b27cecdfadb5
Author: Ben Tasker <github@<Domain Hidden>>

Date: Fri Nov 27 13:56:03 2015 +0000
Commit Message: Implemented basic extraction of SMTP traffic. See PAS-20

Modified (-)(+)

Webhook User-Agent


View Commit