This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How does the port resolution work

0

The section on port name resolution states that

Wireshark will ask the operating system to convert a TCP or UDP port to its well known name (e.g. 80 → http).

This is from the output of tshark -nr file.pcap

5 0.027049000 1.2.3.4 -> 5.6.7.8 TCP 66 33214 > 7777 [ACK] Seq=1 Ack=1 Win=251 Len=0 TSval=1736678907 TSecr=332227645

This from tshark -r file.pcap

5 0.027049000 1.2.3.4 -> 5.6.7.8 TCP 66 33214 > cbt [ACK] Seq=1 Ack=1 Win=251 Len=0 TSval=1736678907 TSecr=332227645

Port 7777 got mapped to the "cbt" protocol (in tshark). Neither the port nor the string "cbt" appear in /etc/services, so it seems there is some other source.

Could someone explain this?

asked 08 Apr '16, 05:08

user1234's gravatar image

user1234
56237
accept rate: 50%

edited 08 Apr '16, 05:16

One Answer:

1

Wireshark has its own copy of services, not sure where it ends up on systems other than Windows where it's placed alongside the binaries. The copy is generated from IANA's list.

answered 08 Apr '16, 05:26

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

1

Should be in the users home directory; the About dialog has a tab that tells where it is exactly.

(08 Apr '16, 05:28) Jasper ♦♦

Thank you. In debian-based systems, it's at /usr/share/wireshark/services. It was installed via the libwireshark-data package.

(08 Apr '16, 05:51) user1234