This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Protocol port change or port adding in wireshark

0

In our product for LDAP we use 16110 as port along with default 389. SO everytime I need to "decode as" option. Is there any way to automatically decode the packets in this port?

I see one option in Edit --> Preferences --> Protocol --> LDAP, here I think I can change the port number, but anywhere I can add the port like - 389,16110 ?

Please clarify

asked 12 Sep '12, 10:15

Santhosh%20Mohan's gravatar image

Santhosh Mohan
0222
accept rate: 0%

edited 14 Sep '12, 19:42

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

I think SERVICES file should do it, not? It's in your Wireshark folder.

(12 Sep '12, 11:34) hansangb

Hansang, I doubt the services file will help. AFAIK it is used to do service name resolution, not for telling the dissectors on which port something is running at. But I might be wrong :-)

(12 Sep '12, 12:13) Jasper ♦♦

3 Answers:

3

With version 1.8.x you can now save "Decode As..." definitions so that you don't have to re-enter them every time you start Wireshark.

Once you added one or more "Decode As..." definitions, go to "Analyze -> User Defined Decodes..." and choose "Save". This will save these "Decode As..." definitions in your current configuration profile. So you can even have a different set of custom port mappings for different setups by defining multiple configuration profiles.

answered 14 Sep '12, 23:52

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

I don't think you can add more than one port number here (which is different from what you can do at the HTTP dissector preferences). At least I have found no way to enter multiple ports.

You might want to open a feature request at the bug tracker at http://bugs.wireshark.org, but it will probably take some time for someone to be willing to take care of it.

The only other thing that comes to mind (and it is kinda thinking outside the box) is to use a packet anonymization tool like bittwiste or tcprewrite to change the port numbers in the trace file. It's an extra step, but you could automate it with a script.

answered 12 Sep '12, 12:17

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Oh, I got you. You're right, of course. Two different things.

(12 Sep '12, 13:40) hansangb

Thanks a lot Jasper and hansangb. I will open a feature request in the bug tracker.

(12 Sep '12, 21:54) Santhosh Mohan

0

You should be able to accomplish this with Lua. I believe the very first example provided on the Lua example page is essentially what you'd need to do. Probably even easier/simpler/better is the example given under DissectorTable in the Lua API documentation.

answered 14 Sep '12, 19:34

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 14 Sep '12, 19:41