Transport-Neutral Encapsulation Format(TNEF)
The Transport-Neutral Encapsulation Format is a Microsoft-specific format for carrying additional message information that does not map to standard messaging protocols. For example, this may include Rich Text Formatting, meeting request details and additional attachment information (e.g. location in text). However, TNEF can also encapsulate all the other messages attachments - so you may attach several documents, but if you look at the resulting message you will only see a single, winmail.dat, attachment.
TNEF has been in use since Microsoft Mail 3.x for transporting extra information in TNEF attributes. Since then, Microsoft has moved to the MAPI properties and some of the original TNEF attributes now have a direct mapping to a MAPI property. However to maintain backwards compatibilty, TNEF still uses attributes and provides a specific TNEF attribute into which all the MAPI properties can be placed.
MIME_multipart: The TNEF is carried within the MIME as a media type "application/ms-tnef" and named "winmail.dat".
X420: TNEF may also be carried in an X420 message as a specific bodypart with OID "1.2.840.1135188.8.131.52".
XXX - Add example decoded traffic for this protocol here (as plain text or Wireshark screenshot).
The TNEF dissector is partially functional, as example captures for some of the TNEF attributes cannot be found. However, the dissector should be able to handle all TNEF attributes, though may not be able to dissect them any further.
There are no preference settings for the TNEF protocol.
Example capture file
This sample capture file contains a TNEF attachment with two attachments:
You will need to "Decode As" port 587 as SMTP, as the capture was not done on the standard port 25.
In order to capture TNEF, you should make sure that the recipient's "Internet format" is "Send using Outlook Rich Text Format" and that the message "Format" (menu) is "Rich Text".
A complete list of TNEF display filter fields can be found in the display filter reference
Show only the TNEF based traffic:
You cannot directly filter TNEF protocols while capturing. TNEF is generally carried over an SMTP or X411 message transport, so if you know the TCP port being, you can filter on that one.
Capture only the TNEF traffic being carried over the SMTP transport on the default port (25):
tcp port 25
- TNEF Transport-Neutral Encapsulation Format
Imported from https://wiki.wireshark.org/TNEF on 2020-08-11 23:26:43 UTC