Wireshark-users: Re: [Wireshark-users] How do I identify SSL secured FTP session?
From: David Alanis <[email protected]>
Date: Sat, 12 Feb 2011 15:43:34 -0600
Quoting David Alanis <[email protected]>:

Quoting Shai Ben-Naphtali <[email protected]>:

Hello,

I'm not looking to decrypt it, I just want to make sure that my FTP session
to the remote server, is really encrypted... and so I wanted to use
Wireshark to try and identify that the traffic going in/out of my NIC is
encrypted.

How I can I do that?

---
Shai

Good Day Shai-

I find myself looking at many wireshak captures trying to identify
connectivity issues that are over SSL.

Since I am not looking to decrypt the capture, but rather make sure the
handshake is made and that application data is being passed. I make a
display filter for either the client IP or destination IP or hostname.

Once I identify the traffic, I right click and select follow SSL stream
which will display all the packets for the selected event/connection.

http://wiki.wireshark.org/SSL

If you download and open the example of the link above, you can see a
complete SSL connection which is what you will also want to look for in
your capture.

The way you will be able to determine is by making sure the source and
destination IPs are those that your FTP client is using to connect to
the remote location.

Sake Blok - has a beautiful :) Power Point presentation that I think
you should read which details how you can use Wireshark to read SSL
communication. It can be obtained at this link.

http://www.lovemytool.com/blog/2009/06/sake_blok_11.html

Cheers-

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:[email protected]?subject=unsubscribe
I forgot the most important part of your question. Once you have the  
Wireshark capture and if you simply apply the view filter 'ftp' and  
displays your entire connection. Then you know your FTP session is not  
encrypted, hence ftp displays communication over port 21 and maybe 20?
I didn't see FTP listed under preferences > protocols.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.