"I wrote smtpcat which will loop through a pcap file and identify all of the smtp conversations in it. Smtpcat dive deep into the payload and identifies the sender, receiver, date, subject, and optionally the AuthSMTP decoded password. The tool also has the ability to dump the payload of any smtp message as an eml file that can be further opened via outlook express for example. "
This tool definitly would make my life easier when pasrsing through network captures for email messages and its contents. Im happy i did things using a more manual procedure, just goes to show that i understood what i was doing.
# perl smtpcat -r pcap_file -p // '-r' reads the pcap and '-p' tells smtpcat to decode the smtp password
 192.168.1.159:1036 -> 18.104.22.168:587
 email@example.com -> firstname.lastname@example.org Sat, 10 Oct 2009 07:35:30 -0600
 SUBJ: lunch next week
 192.168.1.159:1038 -> 22.214.171.124:587
 email@example.com -> firstname.lastname@example.org Sat, 10 Oct 2009 07:38:10 -0600
 SUBJ: rendezvous
The above shows two email conversations being sent. Smtpcat identifies the sender and recipient as well as the smtp password.
# perl smtpcat -r pcap_file -p -d 2 -w message.eml // '-d 2' dumps the content of the smtp message from index 2 (index 2 was identified with the first command output above). '-w' writes the contents of the smtp message to a file
You can then open the message.eml file in outlook express to get the email body and possible attachments.
For more commands type: # perl smtpcat -h