Microsoft Exchange New Mail Notification (NEWMAIL)
Microsoft Exchange e-mail servers use a protocol that Wireshark refers to as "NEWMAIL" to notify clients (such as Microsoft Outlook) that their mailbox has received a new e-mail message. The port is dynamically chosen by the client when logging in to the e-mail server and is transmitted in a MAPI Register Push Notification (mapi.opnum == 4) packet.
- ["UDP"]: NEWMAIL uses ["UDP"] as its transport protocol. The port is dynamically chosen by each client at start time. This port can be hard coded on the client system by changing the registry (see external links at the bottom of this page for details).
XXX - Add example decoded traffic for this protocol here (as plain text or Wireshark screenshot).
The NEWMAIL dissector is partially functional. The notification payload in the packets is displayed, but there is no public documentation that explains what the data stands for.
Example capture file
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
[http://support.microsoft.com/kb/264035/] Microsoft KB #264035 - Explains how to modify registry to use a static notification port