How do I check my handshake in Wireshark?
I've never done this before. So, basically I can see TCP traffic on port 25 in wireshark. So, if someone sends mail to "me" I get it, and the port number is 25. Is that enough for me to try and spoof my own mail address in the envelope header from a spam message?
You can see how all of these servers connect, I would really like to figure out what the server is sending back to the user (the reply of the first query to the login to the address specified). ViktorNov 15 '12 at 7:32. 1
Is this something you can do from another host? If so it should be possible to check the whole chain, or even just looking at the packets you can get all the headers you need. I don't know a lot about packet capture, but I think the standard in network protocols (at least in most cases) is to use a client and server, where the client opens a session and sends some kind of request to the server, the server replies and then the client closes the session. The only reason I mention it is to show that the protocol itself is pretty simple. If there are some more details I would be happy to help with it.
User36872311Oct 23 '12 at 22:50. 1 Answer.
You can also do this by checking the server's side of the conversation, not the client's. As you say, most mail servers are very simple and don't have much configuration options, so it's likely that you can work out what the server is sending the client by looking at the raw data.
That said, I don't believe you'll be able to send a spoofed message that way. You'll have to read up on TCP messages and SMTP messages.
This page has a list of what different parts of the message mean. I'd recommend reading the SMTP format there, as well as the documentation for each part of the RFC.
@user36872311: How do I actually achieve this? How do I send a packet to the mail server? How do I know what it will send? How do I send a spoofed email?
How do I filter TCP in Wireshark?
With Wireshark, one way of seeing all TCP connections going into your PC is to simply look at the summary filter bar.
A quick search brought up some examples here and there about filtering but never a full tutorial of how to actually create a filter that will work properly. Here is my attempt at creating a working filter:
When I tried my filter on wireshark, it did not show me any results. When I try to use this filter in a packet list, it shows me many tcp sessions as a whole; however, the filter still does not pick them out individually.
Also, my goal is to create this filter and then export it to pcap for analysis. The goal is: to see all traffic that is coming through our network interface with the host name 'example'. Only traffic from our network interface. Meaning anything else goes onto a log file but not to the display window The only way I am making progress is using tcp flag set on tcp and tcp flags 1/2. Here is an example of what I am expecting to see on wireshark under the network filter: I just created a filter to see all TCP traffic by setting tcp and tcpflags 1 or 2 to the following. # Set the filter to "tcp However, any time I move onto a destination that is not the one mentioned in the filter, it seems like it doesn't matter if I click or not to include those networks in the filter - it will show them all anyway. Now after I add the host name which has the same value as the filter, this happens: This is expected because I just used the host name that is in the filter bar in the TCP Filter tab as my filter criteria.
How do I check my TCP handshake?
If you're not familiar with socket programming, here is a simple description of it: each time your server is in the process of responding to a client, it sends a message to the client saying what it will be sending and how long it will take to send the message.
The client must then open a small window for this message. The next message from the server will either acknowledge that the client has received this message or ask the client to wait for a "keep-alive" message. If the server has no further messages for the client (ie, it's terminated the connection), then it must close the connection. That's it.
The keep-alive message is a byte whose length is usually the same as the length of the message sent by the server. The client must respond to this message with another keep-alive byte, as well as closing the connection. This keep-alive is typically sent to the server every 2 minutes. The server MUST respond to the keep-alive with an acknowledgment, or else the client will start dropping packets. This keeps the TCP protocol working.
Since you have the IP address of the client, you can ping the client on the command line. Type in "ping 123.456.789.012" (where "123.012" is the IP address of your client).
Related Answers
Can you capture handshake with Wireshark?
For example, if the last packet was a SYN, and the first packet w...
How to analyse Wireshark traffic?
What is the difference between Protocol and Application? How do I f...
What is a TLS handshake?
Enter your email address, and a link to reset your password will be emaile...