Wireshark-users: Re: [Wireshark-users] How do I identify SSL secured FTP session?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Shai Ben-Naphtali <shai@xxxxxxxxxx>
Date: Sun, 13 Feb 2011 13:07:00 +0000
Thank you guys... this was not as easy for me as I thought (since I don't know much about it), but it was easier to just go to the server and disable FTPES, and then trying to connect and seeing in Wireshark how everything is just plain out there... the entire session, the login, the username and password. This is NOT the case when the SSL/TLS is enabled. So that makes me know, that I'm actually using SSL/TLS and that the data is encrypted, when I don't see that session in the Wireshark captures.

Thanks a whole bunch :)

---
Shai



On Sun, Feb 13, 2011 at 06:55, Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx> wrote:
On Sat, Feb 12, 2011 at 03:43:34PM -0600, David Alanis wrote:

> I forgot the most important part of your question. Once you have the
> Wireshark capture and if you simply apply the view filter 'ftp' and
> displays your entire connection. Then you know your FTP session is not
> encrypted, hence ftp displays communication over port 21 and maybe 20?
>
> I didn't see FTP listed under preferences > protocols.

The FTP dissector is hard-coded to handle two types of FTP traffic: FTP
commands on port 21 and FTPDATA on port 20.  You should be able to right
click on a packet and do "Decode as..." FTP also though.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe