Ask Your Question
0

How to save "Decode As" into .pcapng file?

asked 2023-05-18 15:12:34 +0000

pac122 gravatar image

I am using the latest Wireshark from master repository on Ubuntu 23.04. I test several different servers and install options with different port number configurations. I see I constantly set Analyze | Decode As to set protocol to be recognized on specific port.

I also know I can permanently save this info in Edit | Preferences | Protocols | specific protocol | TCP port(s).

But in my case port numbers frequently change and I don't want to set them permanently in Wireshark preferences, but also setting them manually in "Decode As" is also little bit annoying.

I am wondering if this decode as port relationship can be somehow saved in .pcapng file itself. This would be the best option for me. I am reopening captured files frequently and if port-decode-relationship would be there I think it would be the best.

Is it possible to save decode as info in .pcapng file?

Thanks

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2023-05-18 16:13:27 +0000

André gravatar image

No, you cannot save a 'decode as' instruction in a pcapng.

But you can add a comment to a pcapng.
And provide the 'decoce as' as a command line option -d. For example:

wireshark -d tcp.port==8888,http -r myfile.pcapng &

So it is possible to create a little script that launces Wireshark with the (temporary) decode as setting. (E.g. based on some info in the filename or extract the comment with tshark.)

edit flag offensive delete link more

Comments

Another option is to store them in a seperate profile. I always recommend to use profiles a lot.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2023-05-19 08:18:02 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-05-18 15:12:34 +0000

Seen: 291 times

Last updated: May 18 '23

Related questions

How to set packet metadata in realtime?

How to convert Pcapng file to pcap file by Tshark

The ip-address of a pcap file “question”

tshark: How do I convert pcap to compressed pcapng?

editcap and per-file comments in pcapng files...

Pipe with comments

How can I see the interface name and DLT for a packet in Wireshark

Getting a PDF file from printing job

How to donate the development of plugins for Wireshark ?

Couldn't refresh captures in wireshark with GNS3

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2