IMF

Internet Message Format (imf)

The Internet Message Format is format in which text messages are transferred over the Internet. Where SMTP is equivalent to the message envelope, IMF is equivalent to the letter within the envelope. It contains the originator, recipients, subject and dates. Whilst IMF only handles text messages, it can be augmented with MIME_multipart to support multi-media messages.

History

The Internet Message Format has been developed in parallel with the Simple Message Transfer Protocol SMTP. Indeed IMF messages are often actually referred to as "SMTP Messages". IMF was originally published RFC 822 in 1982 as "Standards for the Format of ARPA Internet Text Messages", which in turn had been developed from earlier RFCs beginning with RFC 561 "Standardizing Network Mail Headers".

In 2001, a new RFC was published, RFC 2822, updating it to reflect current practice and incorporating incremental changes that were specified in other RFCs.

Additional IMF fields have been defined by other RFCs, including RFC 2156 which defines a mapping between X.400 message fields and IMF heading fields.

The Multipurpose Internet Mail Extensions (MIME) series of RFCS further enhanced the specification of the format of the body of the message to support complex structures and binary attachments.

Protocol dependencies

Example traffic

XXX - Add example decoded traffic for this protocol here (as plain text or Wireshark screenshot).

Wireshark

The IMF dissector is fully functional though there are some IMF heading fields that may be in common use that have not yet been specifically detected. They will appear as unknown extensions.

Preference Settings

In order to successfully dissect an IMF message, the message must be reconstructed from the fragments that are transferred over SMTP. Therefore the SMTP Preference setting "Reassemble SMTP DATA commands spanning multiple TCP segments" must be enabled.

Example capture file

An example IMF capture is included in the following capture file. The IMF message dissection is in frame 69 (or use the filter described below).

You will need to "Decode As" port 587 as SMTP, as the capture was not done on the standard port 25.

Display Filter

A complete list of IMF display filter fields can be found in the display filter reference

Show only the IMF based traffic:

 imf

Capture Filter

You cannot directly filter IMF protocols while capturing. However, if you know the TCP port used by the SMTP protocol, you can filter on that one.

Capture only the IMF traffic carried over SMTP on the default port (25):

 tcp port 25 

External links

Discussion


Imported from https://wiki.wireshark.org/IMF on 2020-08-11 23:15:06 UTC