This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Does WireShark Version 2.2.1 support iSCSI

0

I am trying to use WireShark version 2.2.1 to examine a pcapng file that contains iSCSI PDUs. The problem that I am having is when the trace is opened the iSCSI PDUs are not decoded and they show up as tcp frames with a payload. Can you please tell me what I need to do in order to get these frames decoded.

asked 08 Nov '16, 01:46

LouD's gravatar image

LouD
6112
accept rate: 0%

2 Answers:

1

iSCSI is supported by Wireshark. Port 3260/tcp is the default port of the dissector.

If your connection is running on a different port please use 'Decode as' and choose 'iSCSI'.

answered 08 Nov '16, 03:53

Uli's gravatar image

Uli
9031515
accept rate: 29%

My iSCSI traffic is using port 3260 but the traffic is not being dissected. When I try using the 'Decode as' I do not get iSCSI listed as a choice.

(08 Nov '16, 07:56) LouD

When you choose Analyze -> Enabled Protocols and write iscsi to the Search field at the bottom of the window, what can you see in the protocol list in the upper part of the window?

(08 Nov '16, 08:12) sindy

iSCSI shows up as an Enabled Protocol.

Another interesting thing is I uploaded the trace to CloudShark and CloudShark decodes the packets as iSCSI PDUs, but for some reason WireShark does not.

(10 Nov '16, 03:53) LouD

Can you share the pcap file (link to Cloudshark) publicly?

(10 Nov '16, 04:19) Uli

Here is the link to the trace in cloud shark

https://www.cloudshark.org/captures/37eba34a4db8

(10 Nov '16, 05:04) LouD

Wireshark 2.2.1 decodes the iSCSI frames here. Is 'iscsi_tcp' enabled (Analyze -> Enabled Protocols) at your site?

(10 Nov '16, 05:39) Uli

Do you have anything in the Decode As... dialog (Analyze -> Decode As...)?

(10 Nov '16, 05:50) grahamb ♦

no there is nothing in the Decode as field

(10 Nov '16, 06:07) LouD

As you can see in the screen shot below there is nothing in the Decode as field and iSCSI does not show as an option to add to the Decode as field.

(10 Nov '16, 06:12) LouD

Look at the bottom of the Decode as list, lower case initial letters come last in the list.

(10 Nov '16, 06:22) grahamb ♦

Maybe my last comment has been overlooked:

Is 'iscsi_tcp' enabled (Analyze -> Enabled Protocols) at your site?

(10 Nov '16, 06:29) Uli

Thank you very much for your help the problem has been solved. I found iSCSI in the bottom of the Decode list and when I selected it the frames are now decoded. Thank you for your help

(11 Nov '16, 00:53) LouD
showing 5 of 12 show 7 more comments

0

Thanks for providing the capture file. The iSCSI packets do show up as iSCSI in my Wireshark 2.2.1 installation. You might want to check your iSCSI protocol preferences. Here are the settings of my Wireshark profile:

$ tshark -G currentprefs | egrep "^#?iscsi"
#iscsi.protocol_version: Draft 13
#iscsi.desegment_iscsi_messages: TRUE
#iscsi.bogus_pdu_filter: TRUE
#iscsi.demand_good_f_bit: FALSE
#iscsi.bogus_pdu_max_data_len: 262144
#iscsi.target_ports: 3260
#iscsi.target_system_port: 860
$

If that does not help, maybe removing your preferences file altogether might solve the issue.

answered 11 Nov '16, 04:21

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%