Wireshark analyzes non-standard port traffic

Wireshark analyzes non-standard port traffic
Wireshark analysis of non-standard port traffic 2.2.2 analysis of non-standard port traffic Wireshark analysis of non-standard port traffic

Non-standard port numbers are always the most common concern of network analysis experts. Check whether the application intends to use a non-standard port, or secretly want to try to use the firewall. This document selects WireShark for data packet analysis.

1. The port number assigned to another program

When a data packet uses a non-standard port, if Wireshark identifies another program, it indicates that Wireshark may use an incorrect analyzer, 2.19 this article selects WireShark data packet analysis to explain the actual situation of Tsinghua University Press.

Figure 2.19 use a Non-Standard Port <喎?http: www.bkjia.com kf ware vc " target="_blank" class="keylink"> Release + tNO4w73nw + release/release + release/B0LXEtsu/2sf40/LP1Mq + release + 0 uMPOxLz + o6y3os/release + yta2r8e/ 1sa94s72yv2 + release/Co7o8L3A + release/release + x7/release/zbuntsvT67f + release/ci3veLO9rXEyv2 + release/release + pgltzybzcm9 "http://www.2cto.com/uploadfile/Collfiles/20150314/2015031410131511.png" alt = "\">

Figure 2.20 select Decoder

On this page, select the correct decoding protocol (HTTP is selected here) and click OK. In this case, the page 2.21 is displayed after the decoding is correct.

Figure 2.21 use an HTTP Decoder

You can see that the information in the Protocol and Info Columns has changed.

3. How to start the parser Wireshark to analyze non-standard port traffic

The process of starting the parser is shown in Figure 2.22.

Figure 2.22 start the parser Process

The process of starting the parser is as follows:

(1) Wireshark transfers data to the first available initiator. If there is no parser port in the parser, it is passed to the next matching parser.

(2) If the parser can parse the port where data is generated, use the parser. If it cannot be parsed, it will be passed to the next matching parser.

(3) If the parser matches, use and end the parsing. If it still cannot be parsed, the data will be transmitted again. And so on.

(4) If the data does not match until the end, you need to customize the data.

4. Adjust the parser Wireshark to analyze non-standard port number traffic

If you are sure that the data of a non-standard port is running in the network, you can add this port in the HTTP preference settings. For example, you want Wireshark to parse HTTP data from Port 81. The procedure is as follows:

(1) select Edit "Preferences | Protocols | HTTP in the toolbar. The page shown in 2.23 is displayed.

?

Figure 2.23 HTTP protocol preferences

(2) On the right side of the interface, you can see the default port number. In the text box corresponding to TCP Ports, add Port 81. After adding the data package, click OK. This document selects WireShark for detailed analysis of data packet analysis by Tsinghua University Press.