Wireshark-users: Re: [Wireshark-users] How do I identify SSL secured FTP session?

From: David Alanis <canito@xxxxxxxx>
Date: Sat, 12 Feb 2011 15:29:32 -0600
Quoting Shai Ben-Naphtali <shai@xxxxxxxxxx>:

Hello,

I'm not looking to decrypt it, I just want to make sure that my FTP session
to the remote server, is really encrypted... and so I wanted to use
Wireshark to try and identify that the traffic going in/out of my NIC is
encrypted.

How I can I do that?

---
Shai


Good Day Shai-

I find myself looking at many wireshak captures trying to identify connectivity issues that are over SSL.

Since I am not looking to decrypt the capture, but rather make sure the handshake is made and that application data is being passed. I make a display filter for either the client IP or destination IP or hostname.

Once I identify the traffic, I right click and select follow SSL stream which will display all the packets for the selected event/connection.

http://wiki.wireshark.org/SSL

If you download and open the example of the link above, you can see a complete SSL connection which is what you will also want to look for in your capture.

The way you will be able to determine is by making sure the source and destination IPs are those that your FTP client is using to connect to the remote location.

Sake Blok - has a beautiful :) Power Point presentation that I think you should read which details how you can use Wireshark to read SSL communication. It can be obtained at this link.

http://www.lovemytool.com/blog/2009/06/sake_blok_11.html

Cheers-

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.