Re: [Wireshark-dev] SMTP: Extracting parametrs
On Tue, Jun 10, 2008 at 10:54:43AM -0700, goitom kahsay wrote: Thank you very much for you help. Yes, I created gtk/export_object_smtp.c ,gtk/export_object2.c, export_object2.h and packet-smtp.h similar to gtk/export_object_http.c ,gtk/export_object.c,export_object.h and packet-http.h. and it dissplays some thing unreadable characters. But i doubt about retrieving the parameters from the packet-smtp.c(dissect_smtp_data) fuction which is used to display the data line by line to the protocol tree. Do u think it is possible to retrieve these value from that function using tap mechanism? Could you send me the code you have already and I'll take a look at it. You can extract the parameters you want via a tap perhaps from the SMTP dissector or the IMF disector as Abhik has suggested. Steve ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org https://wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
Hello Abhik, I am not using any SVN version . I downloaded the tarball source code of wireshark and build under linux(ubuntu 6.06). When i build wireshark (using the the make command), it displays the following at the end. Version configuration file version.conf not found. Using defaults. This is not a SVN build. Yes,I see subject,date ,from and to ,When I follow TCP stream after the DATA command. Thank u in advance. With Best Regards, On Mon, Jun 16, 2008 at 6:20 AM, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Goitom, Have you tried the latest development version... I noticed some differences in the behaviour of the IMF dissector between the stable version 1.0.0 and the SVN version. Also, when you follow TCP stream, do you see the subject, date etc immediately after the DATA command? Regards, Abhik. On Sat, Jun 14, 2008 at 11:45 AM, goitom kahsay [EMAIL PROTECTED] wrote: Dear Abhik, I really appriciate for your help. I am using wireshark version 1.0.0. I checked preferences-protocols-SMTP: Both Reassemble SMTP command and response lines spanning multiple TCP segments and Reassemble SMTP DATA commands spanning multiple TCP segments are enabled. Both view-colorize packet list and view- coloring rules are also enbled. If I open the sample-imf.pcap, I see IMF layer data in frame 69 and i also open other sample files.But ,I donot see IMF on same of the sample files. I also checked these files using the following commands. 1.$ tshark -r smtp.pcap -e imf.from -e imf.to -e imf.subject -T fields But, I couldnot see any of the parameters. 2. $ tshark -V -r smtp.pcap | egrep Subject:|From:|To:|Date: The parameters displayed 3.Using FOLLOW TCP STREAM the parameters displayed. What do you think the reason for not displaying IMF on all the sample files? or Do you think the sample files may have any problem? Thank you in advance, With Best Regards, On Thu, Jun 12, 2008 at 10:12 AM, Abhik Sarkar [EMAIL PROTECTED] wrote: Dear Goitom, My understanding is that SMTP (http://www.ietf.org/rfc/rfc2821.txt) is only the envelope and the fields you are looking for are in IMF (http://www.ietf.org/rfc/rfc2822.txt). Also see, http://wiki.wireshark.org/IMF. So, in general, if I am looking for these fields in particular, I would expect to find them in the message and not on the envelope :-) If I am mistaken, I am sure someone will correct me. Regards, Abhik. On Thu, Jun 12, 2008 at 11:04 AM, goitom kahsay [EMAIL PROTECTED] wrote: Dear Abhik, Thank you very much for your help. But, do you think IMF packet always exist in all smtp conversations? Because i need to extract these parameters from all SMTP email communications. Thank you in advance. with best regards, On Wed, Jun 11, 2008 at 11:19 PM, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Goitom, I am not sure if you still have two requirements as you had earlier (one for extraction of the from, to, subject and date fields and one for display of these in a separate diaglog), but as I have suggested before, I think you are better off using the IMF dissector instead of the SMTP dissector. The IMF dissector supports extraction of all these fields already. So, if you want to setup the tap, I think you are better off tapping IMF. I think the best place would be in the while(!last_field) loop in the dissect_imf function of epan/packet-imf.c. Just compare the value of key against from, to, subject and date (after the part the key has been converted to lower case) and you are on your way! If you want to display the records in a dialog, you will probably want to base the dialog off the expert infos dialog (Analyze Expert Info). You can have columns for Frame number, From, To, Subject and Date. Or, as I have suggested before, you can use the custom columns feature (see the attached screenshot with a sample file from the WS wiki). Unless you have some very specific requirements, I think the above should work for you. I honestly hope this is of some help. Good luck! Abhik PS: While researching this, I came across a bug (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2595) in the SMTP dissector, so be sure to have your coloring rules turned on. On Tue, Jun 10, 2008 at 9:54 PM, goitom kahsay [EMAIL PROTECTED] wrote: Dear Steve, Thank you very much for you help. Yes, I created gtk/export_object_smtp.c ,gtk/export_object2.c, export_object2.h and packet-smtp.h similar to gtk/export_object_http.c ,gtk/export_object.c,export_object.h and packet-http.h. and it dissplays some thing unreadable characters. But i doubt about retrieving the parameters from the packet-smtp.c(dissect_smtp_data) fuction which is
Re: [Wireshark-dev] SMTP: Extracting parametrs
Dear Abhik, Thank you very much for your help. But, do you think IMF packet always exist in all smtp conversations? Because i need to extract these parameters from all SMTP email communications. Thank you in advance. with best regards, On Wed, Jun 11, 2008 at 11:19 PM, Abhik Sarkar [EMAIL PROTECTED] wrote: Hi Goitom, I am not sure if you still have two requirements as you had earlier (one for extraction of the from, to, subject and date fields and one for display of these in a separate diaglog), but as I have suggested before, I think you are better off using the IMF dissector instead of the SMTP dissector. The IMF dissector supports extraction of all these fields already. So, if you want to setup the tap, I think you are better off tapping IMF. I think the best place would be in the while(!last_field) loop in the dissect_imf function of epan/packet-imf.c. Just compare the value of key against from, to, subject and date (after the part the key has been converted to lower case) and you are on your way! If you want to display the records in a dialog, you will probably want to base the dialog off the expert infos dialog (Analyze Expert Info). You can have columns for Frame number, From, To, Subject and Date. Or, as I have suggested before, you can use the custom columns feature (see the attached screenshot with a sample file from the WS wiki). Unless you have some very specific requirements, I think the above should work for you. I honestly hope this is of some help. Good luck! Abhik PS: While researching this, I came across a bug (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2595) in the SMTP dissector, so be sure to have your coloring rules turned on. On Tue, Jun 10, 2008 at 9:54 PM, goitom kahsay [EMAIL PROTECTED] wrote: Dear Steve, Thank you very much for you help. Yes, I created gtk/export_object_smtp.c ,gtk/export_object2.c, export_object2.h and packet-smtp.h similar to gtk/export_object_http.c ,gtk/export_object.c,export_object.h and packet-http.h. and it dissplays some thing unreadable characters. But i doubt about retrieving the parameters from the packet-smtp.c(dissect_smtp_data) fuction which is used to display the data line by line to the protocol tree. Do u think it is possible to retrieve these value from that function using tap mechanism? Thank u in advance. with best regards, On Mon, Jun 9, 2008 at 9:10 PM, Stephen Fisher [EMAIL PROTECTED] wrote: On Fri, Jun 06, 2008 at 09:03:43PM +0300, goitom kahsay wrote: I retrieved the parameters from the packet-smtp.c /dissect_smtp_data fuction which is used to display the data line by line at the protocol tree. i used a tap mechanism as follows. But, the content of the parameter doesnot display on the GUI. Please can u help me any idea how to solve this problem. * Did you also create a gtk/export_object_smtp.c similar to gtk/export_object_http.c and also add the new functions in export_object_smtp.c to the File - Export - Objects menu as SMTP ? Steve ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org https://wireshark.org/mailman/listinfo/wireshark-dev -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org https://wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org https://wireshark.org/mailman/listinfo/wireshark-dev -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org https://wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
Dear Steve, Thank you very much for you help. Yes, I created gtk/export_object_smtp.c ,gtk/export_object2.c, export_object2.h and packet-smtp.h similar to gtk/export_object_http.c ,gtk/export_object.c,export_object.h and packet-http.h. and it dissplays some thing unreadable characters. But i doubt about retrieving the parameters from the packet-smtp.c(dissect_smtp_data) fuction which is used to display the data line by line to the protocol tree. Do u think it is possible to retrieve these value from that function using tap mechanism? Thank u in advance. with best regards, On Mon, Jun 9, 2008 at 9:10 PM, Stephen Fisher [EMAIL PROTECTED] wrote: On Fri, Jun 06, 2008 at 09:03:43PM +0300, goitom kahsay wrote: I retrieved the parameters from the packet-smtp.c /dissect_smtp_data fuction which is used to display the data line by line at the protocol tree. i used a tap mechanism as follows. But, the content of the parameter doesnot display on the GUI. Please can u help me any idea how to solve this problem. * Did you also create a gtk/export_object_smtp.c similar to gtk/export_object_http.c and also add the new functions in export_object_smtp.c to the File - Export - Objects menu as SMTP ? Steve ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org https://wireshark.org/mailman/listinfo/wireshark-dev -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org https://wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
On Fri, Jun 06, 2008 at 09:03:43PM +0300, goitom kahsay wrote: I retrieved the parameters from the packet-smtp.c /dissect_smtp_data fuction which is used to display the data line by line at the protocol tree. i used a tap mechanism as follows. But, the content of the parameter doesnot display on the GUI. Please can u help me any idea how to solve this problem. * Did you also create a gtk/export_object_smtp.c similar to gtk/export_object_http.c and also add the new functions in export_object_smtp.c to the File - Export - Objects menu as SMTP ? Steve ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org https://wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
Dear Steve,
I retrieved the parameters from the packet-smtp.c /dissect_smtp_data
fuction which is used to display the data line by line at the protocol tree.
i used a tap mechanism as follows.
1.tap.h
2.tap handler so just add 'static int smtp_eo_tap = -1;
3. smtp_eo_tap = register_tap(smtp_eo)
4.In the actual dissector for SMTP protocol
if(have_tap_listener(smtp_eo_tap))
{
e_info = ep_alloc(sizeof(smtp_eo_t));
e_info-pkt_num = pinfo-fd-num;
e_info-sender = (gchar*)temp;
e_info-reciever = (gchar*)temp2;
e_info-subject = (gchar*)temp3;
e_info-time = (gchar*)temp4;
tap_queue_packet(smtp_eo_tap, pinfo, e_info);
}
5. Interfacing the application using 3 callbacks and two functions.
N.B 1.temp contains a line of string which starts FROM
2.temp2
To and so on
*
But, the content of the parameter doesnot display on the GUI. Please can u
help me any idea how to solve this problem. *
Thank u in advance.
On Thu, May 1, 2008 at 9:49 AM, Stephen Fisher [EMAIL PROTECTED]
wrote:
On Thu, May 01, 2008 at 09:27:06AM +0300, goitom kahsay wrote:
I want to display these values(the SMTP parameters such as
FROM,TO,SUBJECT,DATE) in a *new dialog* under the analyze menu. And
the dialog displays these values from each SMTP packets displayed in
the packet list pane.
If the contents of the e-mails are gathered also, the best place to
display this information is probably via the Export Object feature (File
- Export - Object menu). The only object export implemented so far is
HTTP. See gtk/export_object.c, gtk/export_object_http.c and a small
piece in epan/dissectors/packet-http.c for how this is implemented.
Hint: It uses the tap mechanism to pass the information from the
dissector to the export object dialog.
Steve
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-dev
--
Benice2all
___
Wireshark-dev mailing list
Wireshark-dev@wireshark.org
https://wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
Hi steve, Thank u very much for ur help. I read all u recommend me and it is very important. It is also the best place to display these values in the Export object feature.*But i have difficulty gathering the contents of an e-mail. So can u help me any idea on how to gather these values(FROM,TO,SUBJECT,DATE) from the packet-smtp.c dissector.* Any idea is most appriciated. Thank u in advance. with best regards. On Thu, May 1, 2008 at 9:49 AM, Stephen Fisher [EMAIL PROTECTED] wrote: On Thu, May 01, 2008 at 09:27:06AM +0300, goitom kahsay wrote: I want to display these values(the SMTP parameters such as FROM,TO,SUBJECT,DATE) in a *new dialog* under the analyze menu. And the dialog displays these values from each SMTP packets displayed in the packet list pane. If the contents of the e-mails are gathered also, the best place to display this information is probably via the Export Object feature (File - Export - Object menu). The only object export implemented so far is HTTP. See gtk/export_object.c, gtk/export_object_http.c and a small piece in epan/dissectors/packet-http.c for how this is implemented. Hint: It uses the tap mechanism to pass the information from the dissector to the export object dialog. Steve ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
Perhaps you could explore the use of the customer columns feature that was recently introduced. This is not exactly what you are looking for but might work out better than a dialog since it is non-obtrusive. You will want to experiment with the following fields: imf.from imf.to imf.subject imf.date You can check out how to setup custom columns in this video: http://ie.youtube.com/watch?v=XpUNXDkfkQg Hope this helps. Abhik. 2008/5/10 goitom kahsay [EMAIL PROTECTED]: Hello, How can i extract these values (From, TO ,Subject and Date) from the SMTP packets displayed in the packet list pane in to a new dialog. Any idea! Thank u in advance On Thu, May 1, 2008 at 1:37 AM, Stig Bjørlykke [EMAIL PROTECTED] wrote: On 30. april. 2008, at 09.44, goitom kahsay wrote: How can i extract the SMTP parameters such as FROM,TO,SUBJECT,DATE and ... from SMTP packets? Hi. I don't know where you want the output, but the SMTP dissector is using the IMF dissector, so it's possible to use tshark to print the values like this: $ tshark -r smtp_data.pcap -e imf.from -e imf.to -e imf.subject -T fields Or you could simply dump all fields and do a grep, like this: $ tshark -V -r smtp_data.pcap | egrep Subject:|From:|To:|Date: -- Stig Bjørlykke ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
Hello, How can i extract these values (From, TO ,Subject and Date) from the SMTP packets displayed in the packet list pane in to a new dialog. Any idea! Thank u in advance On Thu, May 1, 2008 at 1:37 AM, Stig Bjørlykke [EMAIL PROTECTED] wrote: On 30. april. 2008, at 09.44, goitom kahsay wrote: How can i extract the SMTP parameters such as FROM,TO,SUBJECT,DATE and ... from SMTP packets? Hi. I don't know where you want the output, but the SMTP dissector is using the IMF dissector, so it's possible to use tshark to print the values like this: $ tshark -r smtp_data.pcap -e imf.from -e imf.to -e imf.subject -T fields Or you could simply dump all fields and do a grep, like this: $ tshark -V -r smtp_data.pcap | egrep Subject:|From:|To:|Date: -- Stig Bjørlykke ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
Hi Stig Bjorlykke, I want to display these values(the SMTP parameters such as FROM,TO,SUBJECT,DATE) in a *new dialog* under the analyze menu. And the dialog displays these values from each SMTP packets displayed in the packet list pane. Thanks alot for you help. with best regards. On Thu, May 1, 2008 at 1:37 AM, Stig Bjørlykke [EMAIL PROTECTED] wrote: On 30. april. 2008, at 09.44, goitom kahsay wrote: How can i extract the SMTP parameters such as FROM,TO,SUBJECT,DATE and ... from SMTP packets? Hi. I don't know where you want the output, but the SMTP dissector is using the IMF dissector, so it's possible to use tshark to print the values like this: $ tshark -r smtp_data.pcap -e imf.from -e imf.to -e imf.subject -T fields Or you could simply dump all fields and do a grep, like this: $ tshark -V -r smtp_data.pcap | egrep Subject:|From:|To:|Date: -- Stig Bjørlykke ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
On Thu, May 01, 2008 at 09:27:06AM +0300, goitom kahsay wrote: I want to display these values(the SMTP parameters such as FROM,TO,SUBJECT,DATE) in a *new dialog* under the analyze menu. And the dialog displays these values from each SMTP packets displayed in the packet list pane. If the contents of the e-mails are gathered also, the best place to display this information is probably via the Export Object feature (File - Export - Object menu). The only object export implemented so far is HTTP. See gtk/export_object.c, gtk/export_object_http.c and a small piece in epan/dissectors/packet-http.c for how this is implemented. Hint: It uses the tap mechanism to pass the information from the dissector to the export object dialog. Steve ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
[Wireshark-dev] SMTP: Extracting parametrs
Hi folks, How can i extract the SMTP parameters such as FROM,TO,SUBJECT,DATE and ... from SMTP packets? any idea is most welcomed. Thx -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
Hi, Adding a tap to the SMTP dissector would be an option. Thanx, Jaap goitom kahsay wrote: Hi folks, How can i extract the SMTP parameters such as FROM,TO,SUBJECT,DATE and ... from SMTP packets? any idea is most welcomed. Thx -- Benice2all ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
Re: [Wireshark-dev] SMTP: Extracting parametrs
On 30. april. 2008, at 09.44, goitom kahsay wrote: How can i extract the SMTP parameters such as FROM,TO,SUBJECT,DATE and ... from SMTP packets? Hi. I don't know where you want the output, but the SMTP dissector is using the IMF dissector, so it's possible to use tshark to print the values like this: $ tshark -r smtp_data.pcap -e imf.from -e imf.to -e imf.subject -T fields Or you could simply dump all fields and do a grep, like this: $ tshark -V -r smtp_data.pcap | egrep Subject:|From:|To:|Date: -- Stig Bjørlykke ___ Wireshark-dev mailing list Wireshark-dev@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-dev
