TCP port 21 is used by the File Transfer Protocol (FTP), which is an unencrypted protocol. To detect if unencrypted file transfers are taking place, you can apply the Wireshark display filter:
tcp.port == 21
This will show all traffic to and from FTP servers. Since FTP transmits usernames, passwords, and data in clear text, its use would violate the company’s policy.
CEH v13 states:
“FTP (Port 21) is a cleartext protocol vulnerable to sniffing. To enforce secure communication, companies often transition to SFTP (over SSH, port 22) or FTPS (FTP over TLS/SSL).”
Incorrect Options:
B. Port 23 is used for Telnet, not FTP.
C. Combining FTP (21) and SSH/SFTP (22) would include encrypted traffic, which is not what you're trying to isolate.
D. tcp.port != 21 filters out FTP traffic, which is the opposite of the intended goal.
Reference – CEH v13 Guide:
Module 01: Introduction to Ethical Hacking
Subsection: Sniffing and Cleartext Protocols
Wireshark iLab: Identifying FTP Traffic
===========
Submit