After migrating to Exchange 2010 or later we're no longer detecting emails consistently or at all in Network Monitor.

DLP Network Monitor, any supported version

Exchange 2010 made "bursting" the default transmission option.  "Bursting" refers to sending multiple emails over a single connection or stream.  Because of this change, Network Monitor is not set to capture the entire TCP stream by default and we need to modify settings to allow us to capture the entire stream.  Once we have the entire stream we can dissect it and pull out all the expected email and attachment data.

There are two aspects that need modification: Function and Performance.

1.  The change for function, or to allow Network Monitor to capture the entire stream, is to modify the FileReader.MaxFileSize under the advanced server settings to be the same size or larger than the SMTP stream size.  The math goes like this:

Number of emails per connection * max attachment size = max stream size

In the case of the default emails per connection (20) and a max attachment size of 20 MB the max stream size would be 400 MB:

20 * 20 = 400

If FileReader cannot pick up the entire stream then extra data will be truncated.  Truncated data is dropped and therefore not scanned.

2.  The change for performance is optional but highly recommended.  Given that we will be working with streams larger than the default settings are designed for, we need to modify how Network Monitor processes this data.  The following two settings are located under the Content Processing section of the protocol settings.  These can be modified globally by going to System --> Settings --> Protocols and selecting the SMTP protocol or locally on a given server by going to System --> Servers --> Overview, selecting the server, going to Configure, and selecting the SMTP protocol (make sure to use custom settings when changing locally). 

The settings we want to change are Maximum Stream Size and Maximum Stream Packets. 

• Max Stream Size should be the same or larger than your FileReader.MaxFileSize setting. 
• If the expected stream size is larger than 150 MB then the Maximum Stream Packets should be set to 100000 (the hardcoded maximum).

The purpose of these settings is to increase processing speed.  These settings will not affect the quality of the data, just the speed at which the data is processed.  Both of these settings control whether a data stream is processed in memory (very fast) or if it is "spooled" to the hard drive (slower).  Even if these settings are set appropriately, some streams may still be spooled to disk.  This is not a bad thing; that means it will just take longer to process a particular stream.

The default buffer settings should be sufficient unless there are jumbo packets in your network.  Jumbo packets can be detected by running a packet capture on your Network Monitor's monitoring interface.

For additional information about tuning Network Monitor in regard to Jumbo packets, you may wish to check this KB: Network Monitor SMTP incidents are garbled (broadcom.com).