Wireshark analyzes non-standard port traffic and wireshark Port

Wireshark analyzes non-standard port traffic and wireshark Port
Wireshark analysis of non-standard port traffic 2.2.2 analysis of non-standard port traffic Wireshark analysis of non-standard port traffic

Non-standard port numbers are always the most common concern of network analysis experts. Check whether the application intends to use a non-standard port, or secretly want to try to use the firewall. This document selects WireShark for data packet analysis.

1. The port number assigned to another program

When a data packet uses a non-standard port, if Wireshark identifies another program, it indicates that Wireshark may use an incorrect analyzer, 2.19 this article selects WireShark data packet analysis to explain the actual situation of Tsinghua University Press.

Figure 2.19 use a Non-Standard Port

From the Info column on the Packet List panel, you can see the NetBIOS information. However, normal NetBIOS traffic does not look like this. When netbios-ns is displayed in the port area of the Info column, TCP is used in the Protocol column. Check the file and find that the Info column does not contain the normal NetBIOS name service details.

2. Manually force data parsing Wireshark to analyze non-standard port traffic

There are two reasons to manually force data parsing:

Q Wireshark uses an incorrect parser because a non-standard port has been associated with an analyzer.

Q Wireshark cannot start a parser for the data type.

Force the parser to parse the data, right-click the Packet List panel that cannot be parsed/resolve the wrong package, and select Decode. As shown in figure 2.19, three handshakes are usually used to establish a TCP connection. There are three TCP packets between the client and the server. After the TCP packet is successfully established, it should be the HTTP protocol. However, this interface is based on the TCP protocol, indicating that data has not been correctly parsed. Select 4th packages and right-click Decode AS. The page shown in 2.20 is displayed.

Figure 2.20 select Decoder

On this page, select the correct decoding protocol (HTTP is selected here) and click OK. In this case, the page 2.21 is displayed after the decoding is correct.

Figure 2.21 use an HTTP Decoder

You can see that the information in the Protocol and Info Columns has changed.

3. How to start the parser Wireshark to analyze non-standard port traffic

The process of starting the parser is shown in Figure 2.22.

Figure 2.22 start the parser Process

The process of starting the parser is as follows:

(1) Wireshark transfers data to the first available initiator. If there is no parser port in the parser, it is passed to the next matching parser.

(2) If the parser can parse the port where data is generated, use the parser. If it cannot be parsed, it will be passed to the next matching parser.

(3) If the parser matches, use and end the parsing. If it still cannot be parsed, the data will be transmitted again. And so on.

(4) If the data does not match until the end, you need to customize the data.

4. Adjust the parser Wireshark to analyze non-standard port number traffic

If you are sure that the data of a non-standard port is running in the network, you can add this port in the HTTP preference settings. For example, you want Wireshark to parse HTTP data from Port 81. The procedure is as follows:

(1) select Edit | Preferences | Protocols | HTTP in the toolbar. The page shown in 2.23 is displayed.

Figure 2.23 HTTP protocol preferences

(2) On the right side of the interface, you can see the default port number. In the text box corresponding to TCP Ports, add Port 81. After adding the data package, click OK. This document selects WireShark for detailed analysis of data packet analysis by Tsinghua University Press.