Is there a way to figure out Encrypted Communication?
Currently i am querying on "crypto exists" to pick encrypted traffic.
But i only see sessions on >service 443,22,25
However if i see mutiple >tcp.dstport values
Can you provide brief intro into how service is populated?
If there is a communication src:45673 -> dst:13022 (SSH Traffic)
Does this traffic records crypto as "aes256-cbc" and service is 22 ?
Currently i am assuming service is just populating alias for dstport for known services.
Please let me know if i am wrong.