This is our old Q&A Site. Please post any new questions and answers at

The section on port name resolution states that

Wireshark will ask the operating system to convert a TCP or UDP port to its well known name (e.g. 80 → http).

This is from the output of tshark -nr file.pcap

5 0.027049000 -> TCP 66 33214 > 7777 [ACK] Seq=1 Ack=1 Win=251 Len=0 TSval=1736678907 TSecr=332227645

This from tshark -r file.pcap

5 0.027049000 -> TCP 66 33214 > cbt [ACK] Seq=1 Ack=1 Win=251 Len=0 TSval=1736678907 TSecr=332227645

Port 7777 got mapped to the "cbt" protocol (in tshark). Neither the port nor the string "cbt" appear in /etc/services, so it seems there is some other source.

Could someone explain this?

asked 08 Apr '16, 05:08

user1234's gravatar image

accept rate: 50%

edited 08 Apr '16, 05:16

Wireshark has its own copy of services, not sure where it ends up on systems other than Windows where it's placed alongside the binaries. The copy is generated from IANA's list.

permanent link

answered 08 Apr '16, 05:26

grahamb's gravatar image

grahamb ♦
accept rate: 22%


Should be in the users home directory; the About dialog has a tab that tells where it is exactly.

(08 Apr '16, 05:28) Jasper ♦♦

Thank you. In debian-based systems, it's at /usr/share/wireshark/services. It was installed via the libwireshark-data package.

(08 Apr '16, 05:51) user1234
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 08 Apr '16, 05:08

question was seen: 1,406 times

last updated: 08 Apr '16, 05:53

p​o​w​e​r​e​d by O​S​Q​A