0

I am capturing some traffic from a host using wireshark. How do I know if the traffic is encrypted by analyzing the packets?

http

asked 2019-07-31 09:06:45 +0000

JimmyMcnulty
1 ●1 ●2

updated 2019-08-01 03:11:09 +0000

I am capturing some traffic from a host using wireshark. How do I know if the traffic is encrypted by analyzing the packets?

edit retag flag offensive close merge delete

Comments

Easiest one, if want to separate your trafic converstations, HTTP will be mainly on tcp port 80 (or 8080 as alternative, http-proxy) , and HTTPS on tcp port 443. Display filters: tcp.port==443 for HTTPS and tcp.port==80 for plain HTTP. For HTTPS traffic (after the handshake) you should see the bytes corresponding for the TLS encryption. Check this site for example for details on TLS, or elsewhere.

xinxolHH ( 2019-07-31 09:59:54 +0000 )edit

1 Answer

Sort by » oldest newest most voted

0

answered 2019-07-31 21:14:21 +0000

mrEEde
4033 ●16 ●48 ●77

If it is HTTP then the TCP payload from the server will start with "HTTP"
The data to the server will mostly start with "GET" or "POST"

If it is HTTPS you will see a TLS header
HTTP display filter

tcp.payload[0:4]=="HTTP" or tcp.payload[0:3]=="GET" or tcp.payload[0:4]=="POST"

TLS (HTTPS) display filter

1703:00<tcp.payload[0:3]<1703:05

Hope this answer helps .. .
Regards Matthias

edit flag offensive delete link

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Question Tools

Stats

Asked: 2019-07-31 09:06:45 +0000

Seen: 1,079 times

Last updated: Aug 01 '19

Related questions