First time here? Check out the FAQ!

THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.

I am capturing some traffic from a host using wireshark. How do I know if the traffic is encrypted by analyzing the packets?

http
retag add tags

JimmyMcnulty

asked 2019-07-31 09:06:45 +0000, updated 2019-08-01 03:11:09 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Easiest one, if want to separate your trafic converstations, HTTP will be mainly on tcp port 80 (or 8080 as alternative, http-proxy) , and HTTPS on tcp port 443. Display filters: tcp.port==443 for HTTPS and tcp.port==80 for plain HTTP. For HTTPS traffic (after the handshake) you should see the bytes corresponding for the TLS encryption. Check this site for example for details on TLS, or elsewhere.

xinxolHH (2019-07-31 09:59:54 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

If it is HTTP then the TCP payload from the server will start with "HTTP"
The data to the server will mostly start with "GET" or "POST"

If it is HTTPS you will see a TLS header
HTTP display filter

tcp.payload[0:4]=="HTTP" or tcp.payload[0:3]=="GET" or tcp.payload[0:4]=="POST"

TLS (HTTPS) display filter

1703:00<tcp.payload[0:3]<1703:05

Hope this answer helps .. .
Regards Matthias

mrEEde

answered 2019-07-31 21:14:21 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

I am capturing some traffic from a host using wireshark. How do I know if the traffic is encrypted by analyzing the packets? edit

Comments

1 Answer

Comments