First... Hi all.

a bit of a question google cant seem to give me the answer to:

I have been very much getting into the use of network traffic capture of late, e.g. wireshark and my tool of choice DataEcho.

Mainly regarding email, all but the senders name seems to be encrypted or encoded. Is there anyway to make the data sent understandable?

Cheers if anyone can help.

)

Thanks for your response,

I will have a look into some of the programs you have name checked thanks.

The system in particular I was experimenting with was Microsoft Exchange Server based so wasn't sure if it used something a little different to normal SMTP traffic.

But now I know the base I should be well away with a bit of a play.

Thanks again

Interesting Ill have a look,

For now I have super quick knocked up my own BASE64 encode/decode application in C#. I had a look on the web but didn't come up with any that had a user interface that made life as easy as it needed to be for my needs.

Ill have to wait until the morning to give it a spin on the work network so ill report back if it did the trick with a link to my application, simple as it is, in case it is of use to anyone.

With regards to wireshark and BASE64, google seems to indicate that it does not currently do conversion... or at least it is on the wireshark wiki wishlist.

No luck at the moment, it seems the data that comes out its not base64 or at least not all of it. There is allot of squares? and question marks in the text. Ill keep at it and see what comes of it.

Give this a shot: SNEAK

Yeah, MAPI can be tough to parse, although Wireshark has a built in parser for MAPI.     SMTP does encode, just think attachments.  They are MIME encoded most often.   Some servers/clients will also encode email addresses and subjects, and sometimes the entire message.   I spent a good deal of time writing various parsers for email and have seen an enormous amount of variation in interpretation of standards.   

It sounds like you could be looking at MAPI traffic.   It doesn't like RPC over HTTPS, because everything should be encrypted.   If you don't mind, post a small capture file of something non-sensitive (like SPAM).   Maybe we can help you figure it out.   Which version of Exchange is it?