Tutorial: Simple Mail Transport Protocol (SMTP)

This tutorial discusses the plugin smtpDecode.

Preparation

Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.

First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$

Then compile the following plugins

$ t2build tranalyzer2 basicFlow tcpStates smtpDecode txtSink
...
BUILD SUCCESSFUL

$

If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:

$ mkdir ~/data ~/results
$

Download the sample pcap here: faf-exercise.pcap (Source: Bro) Now you’re all set.

smtpDecode

Let’s look at the plugin configuration first:

$ smtpDecode
$ vi src/smtpDecode.h

Run t2 on the supplied pcap.

$ t2 -r ~/data/ -w ~/results/ -s
$
$ tawk -V smtpStat=0x01

$

Data carving with smtpDecode

Switch on SMTP_SAVE, recompile, rerun T2 and move into /tmp/SMTPFILES

$ t2conf smtpDecode -D SMTP_SAVE=1
$ t2build smtpDecode
...
$ t2 -r ~/data/faf-exercise.pcap -w ~/results
================================================================================
Tranalyzer 0.8.10 (Anteater), Tarantula. PID: 22585
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.10
    02: tcpStates, 0.8.10
    03: smtpDecode, 0.8.10
    05: txtSink, 0.8.10
...
--------------------------------------------------------------------------------
tcpStates: Aggregated tcpStatesAFlags=0x4a
smtpDecode: Number of SMTP packets: 894 [15.15%]
smtpDecode: Number of SMTP files: 3
--------------------------------------------------------------------------------
...

smtpDecode reports three mail files. Let’s have first a look at the SMTP flows.

$ tawk 'strtonum($smtpStat) || hdr()' faf-exercise_flows.txt | tcol
%dir  flowInd  flowStat            timeFirst          timeLast           duration  numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP          srcIPCC  srcIPOrg           srcPort  dstIP          dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStates  smtpStat  smtpCC                    smtpRC           smtpUsr  smtpPW  smtpSANum  smtpESANum  smtpERANum  smtpSA                                                                                                                                                                                                                                     smtpESA                 smtpERA                httpStat  httpAFlags  httpMethods  httpHeadMimes  httpCFlags  httpGet_Post  httpRSCnt  httpRSCode  httpURL_Via_Loc_Srv_Pwr_UAg_XFr_Ref_Cky_Mim  httpImg_Vid_Aud_Msg_Txt_App_Unk  httpHosts  httpURL  httpMimes     httpCookies  httpImages  httpVideos  httpAudios  httpMsgs  httpAppl  httpText          httpPunk  httpBdyURL  httpUsrAg                                  httpXFor  httpRefrr  httpVia  httpLoc  httpServ  httpPwr
A     12       0x0400000000004000  1258563573.941668  1258563576.594009  2.652341  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  07       "Private network"  1397     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     12       0x0400000000004001  1258563573.941709  1258563576.594045  2.652336  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103  07       "Private network"  1397     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     13       0x0400000000004000  1258565030.304653  1258565030.420837  0.116184  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  07       "Private network"  1749     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     13       0x0400000000004001  1258565030.304696  1258565030.420877  0.116181  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103  07       "Private network"  1749     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     14       0x0400000000004000  1258565174.919134  1258565175.037809  0.118675  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  07       "Private network"  1755     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     14       0x0400000000004001  1258565174.919179  1258565175.037828  0.118649  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103  07       "Private network"  1755     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     15       0x0400000000004000  1258565820.302090  1258565821.898589  1.596499  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  07       "Private network"  49218    192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     15       0x0400000000004001  1258565820.302128  1258565821.898612  1.596484  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49218    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     16       0x0400000000004000  1258565880.189257  1258565880.212242  0.022985  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  07       "Private network"  49219    192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     16       0x0400000000004001  1258565880.189338  1258565880.212279  0.022941  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49219    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     17       0x0400000000004000  1258566050.124592  1258566050.238771  0.114179  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  07       "Private network"  49220    192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     17       0x0400000000004001  1258566050.124650  1258566050.238828  0.114178  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49220    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     18       0x0400000000004000  1258566123.706408  1258566123.739652  0.033244  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  07       "Private network"  1806     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     18       0x0400000000004001  1258566123.706462  1258566123.739692  0.033230  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103  07       "Private network"  1806     6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     19       0x0400000000004000  1258567109.383510  1258567113.574618  4.191108  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  07       "Private network"  1400     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     19       0x0400000000004001  1258567109.383558  1258567113.574642  4.191084  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102  07       "Private network"  1400     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     20       0x0400000000004000  1258567248.261596  1258567248.374768  0.113172  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  07       "Private network"  1404     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     20       0x0400000000004001  1258567248.261635  1258567248.374809  0.113174  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102  07       "Private network"  1404     6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     21       0x0400000000004000  1258567289.262109  1258567289.283592  0.021483  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  07       "Private network"  1405     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     21       0x0400000000004001  1258567289.262156  1258567289.283642  0.021486  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102  07       "Private network"  1405     6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     22       0x0400000000004000  1258567757.457759  1258567757.572930  0.115171  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  07       "Private network"  49336    192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     22       0x0400000000004001  1258567757.457805  1258567757.572984  0.115179  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49336    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     23       0x0400000000004000  1258568036.508358  1258568036.620287  0.111929  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  07       "Private network"  49353    192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     23       0x0400000000004001  1258568036.508400  1258568036.620325  0.111925  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49353    6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     24       0x0400000000004000  1258568059.128662  1258568059.160656  0.031994  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  07       "Private network"  1836     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     24       0x0400000000004001  1258568059.128711  1258568059.160696  0.031985  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103  07       "Private network"  1836     6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     25       0x0400000000004000  1258568667.549041  1258568667.662968  0.113927  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  07       "Private network"  1709     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     25       0x0400000000004001  1258568667.549083  1258568667.662999  0.113916  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102  07       "Private network"  1709     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     26       0x0400000000004000  1258568738.108255  1258568738.141234  0.032979  1           3        eth:ipv4:tcp  00:08:74:38:01:b4  00:19:e3:e7:5d:23  0x0800              192.168.1.105  07       "Private network"  49561    192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "M57Terry"                                                                                                                                                                                                                                                                                0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     26       0x0400000000004001  1258568738.108301  1258568738.141266  0.032965  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:08:74:38:01:b4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.105  07       "Private network"  49561    6        0x00       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     27       0x0400000000004000  1258574141.027462  1258574141.466197  0.438735  1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104  07       "Private network"  1572     192.168.1.1    07       "Private network"  25       6        0x00       0x11      EHLO;MAIL;RCPT;DATA;QUIT                                    1          1           1           "[192.168.1.104]"                                                                                                                                                                                                                          "charlie@m57.biz_0_27"  "pat@m57.biz"          0x0000    0x0000      0x00         0x0040         0x0010      0_0           0                      0_0_0_0_0_1_0_0_0_1                          0_0_0_0_1_0_0                                        "text/plain"                                                                       "nudel_0_27_5_0"                        "Thunderbird 2.0.0.23 (Windows/20090812)"
B     27       0x0400000000004001  1258574141.027497  1258574141.466226  0.438729  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.104  07       "Private network"  1572     6        0x00       0x01                                220;250;354;221                   7          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as 3B2C92AF471";"221 2.0.0 Bye"                                                 0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     28       0x0400000000004000  1258577484.692600  1258577484.971674  0.279074  1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104  07       "Private network"  1604     192.168.1.1    07       "Private network"  25       6        0x00       0x11      EHLO;MAIL;RCPT;DATA;QUIT                                    1          1           1           "[192.168.1.104]"                                                                                                                                                                                                                          "charlie@m57.biz_0_28"  "pat@m57.biz"          0x0000    0x0000      0x00         0x0040         0x0010      0_0           0                      0_0_0_0_0_1_0_0_0_1                          0_0_0_0_1_0_0                                        "text/plain"                                                                       "nudel_0_28_5_0"                        "Thunderbird 2.0.0.23 (Windows/20090812)"
B     28       0x0400000000004001  1258577484.692644  1258577484.971707  0.279063  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.104  07       "Private network"  1604     6        0x00       0x01                                220;250;354;221                   7          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as BF9192AF931";"221 2.0.0 Bye"                                                 0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     29       0x0400000000004000  1258577840.949762  1258577841.204606  0.254844  1           3        eth:ipv4:tcp  00:0b:db:4f:6b:10  00:19:e3:e7:5d:23  0x0800              192.168.1.104  07       "Private network"  1665     192.168.1.1    07       "Private network"  25       6        0x00       0x11      EHLO;MAIL;RCPT;DATA;QUIT                                    1          1           1           "[192.168.1.104]"                                                                                                                                                                                                                          "charlie@m57.biz_0_29"  "alix.pery@yahoo.com"  0x0000    0x0000      0x00         0x0040         0x0010      0_0           0                      0_0_0_0_0_1_0_0_0_1                          0_0_0_0_1_0_0                                        "text/plain"                                                                       "nudel_0_29_5_0"                        "Thunderbird 2.0.0.23 (Windows/20090812)"
B     29       0x0400000000004001  1258577840.949804  1258577841.204644  0.254840  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:4f:6b:10  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.104  07       "Private network"  1665     6        0x00       0x01                                220;250;354;221                   7          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L250 2.1.0 Ok";"250 2.1.0 Ok";"250 2.1.5 Ok";"354 End data with <CR><LF>.<CR><LF>";"250 2.0.0 Ok: queued as 0B4782AF94B";"221 2.0.0 Bye"                                                 0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     30       0x0400000000004000  1258581757.587843  1258581758.358872  0.771029  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  07       "Private network"  1934     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     30       0x0400000000004001  1258581757.587891  1258581758.358901  0.771010  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103  07       "Private network"  1934     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     31       0x0400000000004000  1258582107.588230  1258582108.822693  1.234463  1           3        eth:ipv4:tcp  00:0b:db:63:5b:d4  00:19:e3:e7:5d:23  0x0800              192.168.1.103  07       "Private network"  2008     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57pat"                                                                                                                                                                                                                                                                                  0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     31       0x0400000000004001  1258582107.588266  1258582108.822724  1.234458  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:5b:d4  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.103  07       "Private network"  2008     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
A     32       0x0400000000004000  1258583614.298059  1258583615.323171  1.025112  1           3        eth:ipv4:tcp  00:0b:db:63:58:a6  00:19:e3:e7:5d:23  0x0800              192.168.1.102  07       "Private network"  1911     192.168.1.1    07       "Private network"  25       6        0x00       0x01      EHLO                                                        1          0           0           "m57jo"                                                                                                                                                                                                                                                                                   0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0
B     32       0x0400000000004001  1258583614.298161  1258583615.323218  1.025057  1           3        eth:ipv4:tcp  00:19:e3:e7:5d:23  00:0b:db:63:58:a6  0x0800              192.168.1.1    07       "Private network"  25       192.168.1.102  07       "Private network"  1911     6        0x08       0x01                                220;250                           3          0           0           "220 domex ESMTP Postfix";"250-domex_250-PIPELINING_250-SIZE 10485760_250-VRFY_250-ETRN_250-AUTH L220 2.0.0 Ready to start TLS";"220 2.0.0 Ready to start TLS"                                                                                                                            0x0000    0x0000      0x00         0x0000         0x0010      0_0           0                      0_0_0_0_0_0_0_0_0_0                          0_0_0_0_0_0_0

You can see now all vital mail communication aggregated in a flow based aggregation. If you want to read emails look into the /tmp/ folder and open a file.

$ cd /tmp/SMTPFILES
$ ls
$ charlie@m57.biz_0_27  charlie@m57.biz_0_28  charlie@m57.biz_0_29
$ cat charlie@m57.biz_0_27
Message-ID: <4B0451D7.6080508@m57.biz>
Date: Wed, 18 Nov 2009 11:58:15 -0800
From: Charlie <charlie@m57.biz>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Pat McGoo <pat@m57.biz>
Subject: Re: COFFEE
References: <98CC40FE46EA4F9CB82A95B0E7634C9A@m57pat>
In-Reply-To: <98CC40FE46EA4F9CB82A95B0E7634C9A@m57pat>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Pat McGoo wrote:
> Charlie, Terry,
>
>     just checking up on your preferences for coffee - jo is going
> shopping tomorrow, let us know what you want.
>
> Jo, I like my coffee cinnamon apple flavor with just a whisper of
> cream - be sure to get the heavy whipping cream, NOT the half and
> half.  See if they have any of those nice pumpkin muffins, too.
>
> Pat
Can I just get hot chocolate instead?  I like the little sprinkles and
whipped cream with it.
.
QUIT

Also for smtpDecode all extracted filenames have the flowIndex attached to correlate flows with the extracted files.

Filename_Flow-Dir(0/1)_findex

Look also under the other folders extracted from httpSniffer.

Don’t forget to reset the configuration for other tutorials:

$ t2conf smtpDecode -D SMTP_SAVE=0
$

Or use t2conf --reset -a to reset all plugins and the core to default configuration.

Play a bit around with the other extracting plugins and your own traffic.

Have fun!