Some more Mail Captures

Email is still the most common communication protocol on the Internet. And since I was missing some variants of the related protocols, IMAP, POP3, and SMTP in the Ultimate PCAP, I did some captures. ✅ Here are a few details.

While there were already basic IMAP and SMTP sessions in the Ultimate PCAP, I was missing all those different kinds of cryptographically secure variants, that is, those STARTTLS (opportunistic/explicit TLS on common port) respectively implicit TLS (specific port) ones. I used the mail client Mozilla Thunderbird version 102.15.1 with different settings. All sessions took place with the standard Internet protocol IPv6. I always refreshed the inbox once without and a second time with a new mail in the inbox, while I sent two emails for the SMTP captures.

As always, you can find those packets in the Ultimate PCAP. Analyze it by yourself! 👍🏻 Note that the display filters within Wireshark (like “imap” or “pop”) only work for the clear text and STARTTLS variants, while the implicit TLS sessions completely mask the embedded protocol. At these points, you have to go over the TCP ports or the IP addresses of the involved hosts. Here’s a table listing the default ports for all of these protocols.


“The Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection”, Wikipedia. You should all know the protocol. The well-known TCP port for the plain text and STARTTLS variants is 143. Watch out for the STARTTLS message within the

While the implicit TLS variant uses TCP port 993. “imap” as a display filter is useless unless you’re decrypting your TLS connection within Wireshark. ;)


“The Post Office Protocol (POP) is an application-layer Internet standard protocol used by e-mail clients to retrieve e-mail from a mail server”, Wikipedia. While POP3 is the de facto default, the display filter in Wireshark is simply “pop”. Same as with IMAP: using a display filter with the destination port is more useful than the name of the application layer protocol.

Implicit TLS takes place on port 995. The second screenshot shows an unencrypted POP3 session just to prove again that it’s a good idea to encrypt your communication. ;)


Finally, the Simple Mail Transfer Protocol (SMTP) sends out emails from a client (mail user agent, MUA) to a mail submission agent (MSA). This “mail submission” is done on TCP port 587 for plain text and STARTTLS (rather than on port 25 which is used for MTA -> MTA traffic):

SMTP submission with implicit TLS on TCP port 465:

That’s it. ;)

Soli Deo Gloria!

Photo by sue hughes on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *