Transport-Neutral Encapsulation Format(TNEF)

The Transport-Neutral Encapsulation Format is a Microsoft-specific format for carrying additional message information that does not map to standard messaging protocols. For example, this may include Rich Text Formatting, meeting request details and additional attachment information (e.g. location in text). However, TNEF can also encapsulate all the other messages attachments - so you may attach several documents, but if you look at the resulting message you will only see a single, winmail.dat, attachment.


TNEF has been in use since Microsoft Mail 3.x for transporting extra information in TNEF attributes. Since then, Microsoft has moved to the MAPI properties and some of the original TNEF attributes now have a direct mapping to a MAPI property. However to maintain backwards compatibilty, TNEF still uses attributes and provides a specific TNEF attribute into which all the MAPI properties can be placed.

Protocol dependencies

Example traffic

XXX - Add example decoded traffic for this protocol here (as plain text or Wireshark screenshot).


The TNEF dissector is partially functional, as example captures for some of the TNEF attributes cannot be found. However, the dissector should be able to handle all TNEF attributes, though may not be able to dissect them any further.

Preference Settings

There are no preference settings for the TNEF protocol.

Example capture file

This sample capture file contains a TNEF attachment with two attachments:

You will need to "Decode As" port 587 as SMTP, as the capture was not done on the standard port 25.

In order to capture TNEF, you should make sure that the recipient's "Internet format" is "Send using Outlook Rich Text Format" and that the message "Format" (menu) is "Rich Text".

Display Filter

A complete list of TNEF display filter fields can be found in the display filter reference

Show only the TNEF based traffic:


Capture Filter

You cannot directly filter TNEF protocols while capturing. TNEF is generally carried over an SMTP or X411 message transport, so if you know the TCP port being, you can filter on that one.

Capture only the TNEF traffic being carried over the SMTP transport on the default port (25):

 tcp port 25 

External links


Imported from on 2020-08-11 23:26:43 UTC