Wireshark map/resolve ip & ports combination to different service names
I have a sip application server which have multiple service having same IP but different ports. Is it possible in wireshark to some how map/resolve ip & ports combination to different services names?
Where would the "service name" be displayed or how would it be used?
A sip server is having multiple logical application servers. All these logical application servers have same IP address but different ports. During a call traffic flows from logical server 1 with port 5060 then goes out to another sip server which then sends call towards logical server 2 with port 5070.
You can set coloring rules for conversations but that would only be available in the packet list.
Did you want "service name" to be displayed in the Packet Details or searchable with a Display Filter?
Problem is I am not able to identify (unless I remember all ports used by different logical servers) which logical server is being used by checking the pcap trace. Currently I am using host file to resolve ip address but as host file can't have port details it becomes difficult to troubleshoot issues in the network.
The documentation could be a little clearer. You can have a services file per profile.
Would mapping the port number to a service name help?
It would require maintaining and switching to a profile based on which server the pcap is for.
I had tried adding ports in services file earlier but it didn't worked. It would be good if some examples and troubleshooting steps can be added to the documentation. If it works I hope it would solve my problem.
I think there is a bug in that
services
is only read once, on startup.It does work with custom services files if you change profiles, close Wireshark application then restart Wireshark application. Or if starting Wireshark from the command line, specify a profile to use with
-C
option.(I'll look at the code later this evening to see how to change to profile
services
file on profile changes.)I tried using services. Restarted wireshark. I can't see any changes. Where in wireshark I can see the service name which I provided for the port?
Also 1 problem in using services is that if other ip address have that port then services name will show there as well even if that service is not associated with that IP.
What version of Wireshark are you using?
Which
services
file was modified -global
,personal config
, or in aprofile
directory?In the other question about Packet Detail colors, Lua was mentioned. If that is an option I think a custom dissector that provides a new field(s) with the service information would be a better solution. Then it can be customized/tweaked to include the specific information required.
Wireshark version 3.5.0.4706 Initially there was no services file. I have added a services file in personal (appdata\roaming\wireshark) directory.
Regarding the other question about Packet Detail colors, I think if coloring can be done then it is the best solution. Your suggestion custom dissector is also good. But the problem is that I don't have any knowledge of lua :(