This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Strange information in packets

0

I have Wireshark running on a Thinkpad T42 laptop which is connected to web server on an embedded device on a LAN. The laptop is connected to the server via web browser (Firefox).

In the "Info" column in Wireshark, I'm seeing many packets that contain strange names such as:

  • radio-sm
  • orbplus-iiop
  • picknfs

Here's just a snippet of the Wireshark session - notice, in the info column, these strange names:

"10.10.6.240","10.10.6.106","TCP","54","radio-sm > http [ACK] Seq=355 Ack=2 Win=65534 Len=0"

"10.10.6.240","10.10.6.107","TCP","62","orbplus-iiop > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1"

"10.10.6.106","TCP","54","picknfs > http [ACK] Seq=355 Ack=691 Win=64846 Len=0"

"10.10.6.107","TCP","62","simbaservices > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1"

"10.10.6.240","10.10.6.107","TCP","54","aas > http [ACK] Seq=354 Ack=331 Win=65206 Len=0"

What are these names referring to? And why do they appear in the stream?

For whatever it's worth, when I run Wireshark from a different computer, these strange names do not appear in the streams.

asked 12 Jan '13, 09:28

KTM's gravatar image

KTM
7691314
accept rate: 100%


2 Answers:

2

Those are the TCP ports in use. You have transport name resolution turned on, so Wireshark is displaying port names instead of port numbers. For example, in your first frame "radio-sm > http" means the source port is 1596 (radio-sm) and the destination port is 80 (http). This is probably traffic to a web server that's listening on port 80, so "http" is meaningful. However, 1596 is the ephemeral port that was chosen dynamically by the client for this session. It's not actually radio-sm traffic.

To turn off transport name resolution and see port numbers instead of names, select View > Name Resolution, and uncheck "Enable for Transport Layer."

The port number-to-name mappings are found in the services file, which is in the Wireshark program directory.

answered 12 Jan '13, 11:13

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

1

That's just the 'random' source ports of the TCP connections, which Wireshark tries to resolve to names.

See: %ProgramFiles%\Wireshark\services

You can ignore it or change the behavior of Wireshark

Edit -> Preferences -> Name Resolution -> Enable transport name resolution

Regards
Kurt

answered 12 Jan '13, 11:05

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Jan '13, 11:09