Wireshark, is significance in network analysis the following is a common list of Protocols in and the filters to view them

FTP (File Transfer Protocol)

• Port Number: 21 (Control), 20 or others (Data).
• Wireshark Filter: Use ftp or tcp.port == 21 as filters.
• Analysis: Identifying FTP traffic, understanding the TCP handshake, observing clear-text login credentials.
• Stream Following: Use ‘Follow TCP Stream’ for a consolidated view of FTP conversations.
• Security Note: FTP is often in clear text, making it less secure.

SSH (Secure Shell)

• Port Number: 22.
• Wireshark Filter: tcp.port == 22.
• Analysis: Identifying SSH traffic, understanding its encrypted characteristics.
• Security Note: SSH traffic is encrypted, offering robust security.

Telnet

• Port Number: 23.
• Wireshark Filter: tcp.port == 23.
• Analysis: Recognising Telnet sessions, observing clear-text data, understanding security implications.
• Security Note: Telnet is typically in clear text, which poses security risks.

SMTP (Simple Mail Transfer Protocol)

• Port Number: 25, 587 (Secure SMTP).
• Wireshark Filter: tcp.port == 25 or tcp.port == 587.
• Analysis: Differentiating between encrypted and unencrypted SMTP traffic.
• Security Note: SMTP can be either clear text or encrypted.

DNS (Domain Name System)

• Port Number: 53.
• Wireshark Filter: udp.port == 53.
• Analysis: Understanding DNS queries and responses, differentiating between TCP and UDP DNS traffic.
• Security Note: DNS queries can be intercepted, consider securing them.

DHCP (Dynamic Host Configuration Protocol)

• Port Numbers: 67 (Server), 68 (Client).
• Wireshark Filter: dhcp.
• Analysis: Observing the DHCP discovery and allocation process.
• Security Note: DHCP is not encrypted.

TFTP (Trivial File Transfer Protocol)

• Port Number: 69.
• Wireshark Filter: udp.port == 69.
• Analysis: Understanding TFTP’s simplicity and use cases.
• Security Note: TFTP is generally in clear text, making it less secure than FTP.

HTTP (Hypertext Transfer Protocol)

• Port Number: 80.
• Wireshark Filter: tcp.port == 80.
• Analysis: Identifying HTTP requests and responses, clear-text data visibility.
• Security Note: HTTP is not secure as data is transferred in clear text.

POP3 (Post Office Protocol version 3)

• Port Numbers: 110 (Non-secure), 995 (Secure).
• Wireshark Filter: tcp.port == 110 or tcp.port == 995.
• Analysis: Recognising email retrieval protocols, differences between secure and non-secure traffic.
• Security Note: Use port 995 for encrypted POP3 traffic.

IMAP (Internet Message Access Protocol)

• Port Numbers: 143 (Non-secure), 993 (Secure).
• Wireshark Filter: tcp.port == 143 or tcp.port == 993.
• Analysis: Comparing IMAP to POP3, understanding secure email retrieval.
• Security Note: Prefer port 993 for secure IMAP traffic.

NTP (Network Time Protocol)

• Port Number: 123.
• Wireshark Filter: udp.port == 123.
• Analysis: The role of NTP in network synchronisation.
• Security Note: NTP is usually not encrypted.

SNMP (Simple Network Management Protocol)

• Port Number: 161.
• Wireshark Filter: udp.port == 161.
• Analysis: SNMP’s role in network management, understanding GET and RESPONSE types.
• Security Note: SNMP can be susceptible to interception if not properly secured.

LDAP (Lightweight Directory Access Protocol)

• Port Number: 389.
• Wireshark Filter: tcp.port == 389.
• Analysis: LDAP’s role in authentication and directory services.
• Security Note: LDAP can be encrypted for enhanced security.

HTTPS (Hypertext Transfer Protocol Secure)

• Port Number: 443.
• Wireshark Filter: tcp.port == 443.
• Analysis: Identifying secure web traffic, TLS handshakes.
• Security Note: HTTPS encrypts data, offering better security than HTTP.

SMB (Server Message Block)

• Port Number: 445.
• Wireshark Filter: tcp.port == 445.
• Analysis: Understanding SMB’s role in file sharing in Windows environments.
• Security Note: SMB can be encrypted for secure file transfers.