Wireshark analyzing non-standard port number traffic

Wireshark analyzing non-standard port number flows 2.2.2 analyzing non-standard port number trafficWireshark analyzing non-standard port number traffic

Application running using nonstandard port numbers is always the most concern of network analyst experts. Focus on whether the application intentionally involves using non-standard ports, or secretly want to try to get through the firewall this article selected self- wireshark packet Analysis of Tsinghua University Press .

1. The port number assigned to another program

When a packet is used on a non-standard port, if it is recognized by Wireshark to use another program, then Wireshark may have used the wrong parser, 2.19 as shown in this article selected from wireshark data packet Analysis of the actual combat in Tsinghua University Press .

Figure 2.19 Using non-standard ports

From the interface packet the info column in the list panel, you can see the information showing NetBIOS. However, normal NetBIOS traffic does not look like this. When the port area of the Info column displays Netbios-ns, the Protocol column shows the TCP protocol used. When you view the file, you find that the Info column does not contain the normal NetBIOS name service details.

2. Manually force parsing of data Wireshark analysis of non-standard port number traffic

There are two reasons for manually forcing parsing of data, as follows:

Q Wireshark uses the wrong parser because a non-standard port already has a parser associated with it.

Q Wireshark cannot start the parser for the data type.

Forces the parser to parse the data, right-click the unresolved/Parse error package in the Packet list panel, and select Decode as. As shown in 2.19, TCP is typically used to establish a connection using a three-time handshake. There is a total of three TCP packets between the client and the server, which should be the HTTP protocol after successful establishment. However, the interface is a TCP protocol that shows data that has not been parsed correctly. Select the 4th package here, right-click to select Decode as and the interface shown in 2.20 will pop up.

Figure 2.20 Selecting a decoder

Select the correct decoding protocol in this interface (select HTTP here) and click the OK button. At this point, the correct decoding is shown in interface 2.21.

Figure 2.21 Using the HTTP decoder

From this interface, you can see that the information for the protocol and Info columns has changed.

3. How to start parser Wireshark analyze non-standard port number traffic

Start the parser as shown in procedure 2.22.

Figure 2.22 starting the parser process

The process for starting the parser is as follows:

(1) Wireshark passes the data to the first available initiator. If there is no parser port in the parser, it is passed to the next matching parser.

(2) If the parser can parse the port on which the data occurred, the parser is used. If it cannot resolve, it is then passed to the next matching parser.

(3) If the parser matches, use and end parsing. If you still cannot resolve, pass the data again. And so on, specifying the end.

(4) If it doesn't match until the end, you'll need to customize the data.

4. Adjust parser Wireshark to analyze non-standard port number traffic

If you determine that data is running on a network that is not a standard port, you can add the port in the preferences setting of the HTTP protocol. For example, the user wants Wireshark to parse HTTP data from a 81 port number. The add process is as follows:

(1) In the toolbar, select Edit| preferences| protocols| HTTP, the interface shown in 2.23 will be displayed.

Figure 2.23 HTTP protocol Preferences

(2) on the right side of the interface, you can see the port number of the default setting. In the text box corresponding to the TCP ports, add the 81 port number. When you are finished adding, click the OK button. This article selected from the wireshark data Packet Analysis of Tsinghua University Press .

Wireshark analyzing non-standard port number traffic