Differences between revisions 5 and 6
Revision 5 as of 2008-04-12 17:51:33
Size: 2121
Editor: localhost
Comment: converted to 1.6 markup
Revision 6 as of 2020-06-11 14:54:24
Size: 2266
Editor: nathanr
Comment:
Deletions are marked like this. Additions are marked like this.
Line 33: Line 33:
XXX - Add a simple example capture file to the SampleCaptures page and link from here. Keep it short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically. [[https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=imap.cap|imap.cap]]
(libpcap) A short IMAP session using Mutt against an MSX server.

File: imap-ssl.pcapng (10 KB, from https://git.lekensteyn.nl/peter/wireshark-notes/commit/tls/imap-ssl.pcapng?id=1123e936365c89d43e9f210872778d81223af36d, SSL keys in capture file comments)

Internet Message Access Protocol (IMAP)

This protocol is widely use to manage e-Mail at a mail server and receive e-Mail from it.

An alternative to receive mail is the former POP protocol, which doesn't allow to manage the mails on the server.

Sending mail to a server - on the other hand - is done using SMTP.

History

The "former" POP protocol offers less features, but both IMAP and POP protocols are still widely used today.

Protocol dependencies

  • TCP: Typically, IMAP uses TCP as its transport protocol. The well known TCP port for IMAP traffic is 143.

  • IMAP uses MIME_multipart to transfer attachments.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

The IMAP dissector is fully functional (is this true?).

Preference Settings

There are no IMAP specific preference settings.

Example capture file

imap.cap (libpcap) A short IMAP session using Mutt against an MSX server.

File: imap-ssl.pcapng (10 KB, from https://git.lekensteyn.nl/peter/wireshark-notes/commit/tls/imap-ssl.pcapng?id=1123e936365c89d43e9f210872778d81223af36d, SSL keys in capture file comments)

Display Filter

A complete list of IMAP display filter fields can be found in the display filter reference

  • Show only the IMAP based traffic:

     imap 

Capture Filter

You cannot directly filter IMAP protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

  • RFC 2060 INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1 (obsolete)

  • RFC 3501 INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1

  • RFC 3502 Internet Message Access Protocol (IMAP) - MULTIAPPEND Extension

  • RFC 3503 Message Disposition Notification (MDN) profile for Internet Message Access Protocol (IMAP)

Discussion

IMAP (last edited 2020-06-11 14:54:24 by nathanr)