Wireshark non-standard analysis port no flow

Wireshark non-standard analysis port no flow2.2.2 Non-standard analysis port non-flow wireshark non-standard analysis port traffic

Application execution using non-standard port numbers is always the most concern of network analyst experts. Focus on whether the application intentionally involves using a nonstandard port, or secretly wants to try it out through a firewall. This article selected self-Wireshark packet Analysis Practical explanation Tsinghua University Press.

1. Assign a port number to another program

When a packet is used on a nonstandard port, it is assumed that the Wireshark identifies the use of a program, which means that Wireshark may have used the wrong parser. 2.19 See this article selected from the Wireshark Data Packet analysis actual combat specific explanation Tsinghua University Press.

Figure 2.19 Using a non-standard port

From the interface packet the info column in the list panel, you can see the information showing NetBIOS. However, normal NetBIOS traffic does not look like this.

When the port area of the Info column displays Netbios-ns, the Protocol column shows the TCP protocol used.

When you view the file, you find that the Info column does not include the normal NetBIOS name service details.

2. Manually force parsing of data Wireshark analysis of non-standard port number traffic

There are two reasons for manually forcing parsing of data. Respectively for example the following:

Q Wireshark uses the wrong parser, because a non-standard port already has a parser associated with it.

Q Wireshark cannot start the parser for the data type.

Forces the parser to parse the data, right-click the unresolved/Parse error package in the Packet list panel, and select Decode as. As seen in 2.19, TCP is typically used to establish a connection using a three-time handshake. A total of three TCP packets between the client and server end should be the HTTP protocol after successful establishment. However, the interface is a TCP protocol that shows data that has not been parsed correctly. Select the 4th package here and right-click to select Decode as, which will pop up 2.20 to see the interface.

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvzgf4dwviyq==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

Figure 2.20 Selecting a decoder

Select the correct decoding protocol in this interface (choose HTTP here). And then click OKButton.

At this point, the correct decoding after the display interface 2.21 see.

Figure 2.21 Using the HTTP decoder

The information from this interface to see the protocol and Info columns has changed.

3. How to start parser Wireshark analyze non-standard port traffic

Start the parser procedure as seen in 2.22.

Figure 2.22 starting the parser process

Start the parser step, as seen in the following:

(1) Wireshark passes the data to the first available initiator. Assuming that there is no parser port in the parser, it is passed to the next matching parser.

(2) Assuming that the parser can parse the port where the data occurred, the parser is used.

If it cannot be resolved, it is then passed to the next matching parser.

(3) Assuming that the parser matches, use and end parsing. Assuming that still cannot be resolved, the data is passed again.

And so on, specifying the end.

(4) Assume that there is still no match until the end. You need to define your own data.

4. Adjust parser Wireshark to analyze non-standard port number flow

Assuming that data from a non-standard port is executed on the network, the port can be added to the preferences setting of the HTTP protocol. Like what. The user wants to Wireshark parse HTTP data from 81port.

Join steps such as the following:

(1) In the toolbar, select Edit| preferences| protocols| HTTP. The 2.23 interface that you see is displayed.

?

Figure 2.23 HTTP protocol Preferences

(2) on the right side of the interface, you can see the port number of the default setting. In the TCP ports corresponding text box, add the 81port number. After you have joined, click OKButton This article selected from the Wireshark packet analysis of the real concrete explanation of Tsinghua University Press.

Copyright notice: This article Bo Master original articles, blogs, without consent may not be reproduced.

Wireshark non-standard analysis port no flow