Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.


Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.


Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.


Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Commands & Shells, Email

Extracting Email Addresses from TCP Streams

Submitted by on December 5, 2017 – 7:06 pm

Here’s a quick example of using tshark to extract email addresses from TCP streams. Let’s say some application on your server is sending emails and you want to find out who is receiving those emails.

You can find more useful tshark filters here. The capture will take place on the system’s primary NIC. You can change that by setting the nic variable manually. The other variable you may want to adjust is duration. The default value is 10 seconds. This means that tshark will spend 10 seconds gathering a list of steams and then 10 seconds capturing traffic on each stream. You may want to use different variables for these two steps. Another potential improvement is to follow steams in parallel using xargs or somesuch.

duration=10 #capture duration to get streams and then capture duration per stream
nic=$(route | grep -m1 ^default | awk '{print $NF}')
for stream in $(tshark -nl -i ${nic} -a duration:${duration} -R tcp.flags.syn==1 -T fields -e 2>/dev/null | sort -n | uniq); do
echo "Processing stream $stream"
tshark -nl -i ${nic} -a duration:${duration} -q -z "follow,tcp,ascii,$stream" 2>/dev/null
done | grep -Po '(?i)\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,6}\b' | sort -u


Print Friendly, PDF & Email

Leave a Reply