Wireshark-users: Re: [Wireshark-users] How do I identify SSL secured FTP session?
From: David Alanis <canito@xxxxxxxx>
Date: Sat, 12 Feb 2011 15:43:34 -0600
Quoting David Alanis <canito@xxxxxxxx>:

Quoting Shai Ben-Naphtali <shai@xxxxxxxxxx>:

Hello,

I'm not looking to decrypt it, I just want to make sure that my FTP session
to the remote server, is really encrypted... and so I wanted to use
Wireshark to try and identify that the traffic going in/out of my NIC is
encrypted.

How I can I do that?

---
Shai


Good Day Shai-

I find myself looking at many wireshak captures trying to identify
connectivity issues that are over SSL.

Since I am not looking to decrypt the capture, but rather make sure the
handshake is made and that application data is being passed. I make a
display filter for either the client IP or destination IP or hostname.

Once I identify the traffic, I right click and select follow SSL stream
which will display all the packets for the selected event/connection.

http://wiki.wireshark.org/SSL

If you download and open the example of the link above, you can see a
complete SSL connection which is what you will also want to look for in
your capture.

The way you will be able to determine is by making sure the source and
destination IPs are those that your FTP client is using to connect to
the remote location.

Sake Blok - has a beautiful :) Power Point presentation that I think
you should read which details how you can use Wireshark to read SSL
communication. It can be obtained at this link.

http://www.lovemytool.com/blog/2009/06/sake_blok_11.html

Cheers-

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

I forgot the most important part of your question. Once you have the Wireshark capture and if you simply apply the view filter 'ftp' and displays your entire connection. Then you know your FTP session is not encrypted, hence ftp displays communication over port 21 and maybe 20?

I didn't see FTP listed under preferences > protocols.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.