Decode as... doesn't work, what am I missing?

asked 2025-03-25 16:19:26 +0000

Dash gravatar image

updated 2025-04-23 08:39:00 +0000

I'm doing a capture with SSH remote capture, which all works fine - normally. I'm trying to decode HTTP traffic on a non-standard port.

So I've clicked on the TCP row, gone to Decode As... and added the destination service port as the TCP Port number to match, and set the Current value to HTTP, then saved. Nothing changes.

I've tried on another computer, with a new install of Wireshark, I've blown away my local preferences, no avail. I feel like I'm doing something really, really dumb here, but it's simply not working.

Version 4.4.6 (v4.4.6-0-gaebb20483889).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
#11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.13.5, with libsmi 0.5.0, with Minizip-ng , with
QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with
binary plugins.

Running on 64-bit Windows 11 (24H2), build 26100, with AMD Ryzen 9 9950X3D
16-Core Processor (with SSE4.2), with 65175 MB of physical memory, with GLib
2.80.0, with Qt 6.5.3, with Npcap version 1.79, based on libpcap version 1.10.4,
with PCRE2 10.43 2024-02-16, with c-ares 1.27.0, with GnuTLS 3.8.4, with Gcrypt
1.10.2-unknown, with nghttp2 1.62.1, with nghttp3 0.14.0, with brotli 1.0.9,
with LZ4 1.9.4, with Zstandard 1.5.6, without AirPcap, with dark display mode,
without HiDPI, with QPA plugin "windows", with LC_TYPE=English_United
Kingdom.utf8, binary plugins supported.

This example I'm doing it locally, not even SSH (which I thought was the only thing, but seems not), I'm running a service on port 8081, so I've added HTTP decoding: Decode As

This is what get: Main

You can make out JSON traffic, but it's not being neatly decoded: JSON

edit retag flag offensive close merge delete

Comments

Can you update the question with output of wireshark -v or copy the text from Help->About Wireshark:Wireshark tab.

There is a sample capture attached to 19723: Problem to Decode 5GC-N7 HTTP for payload Application/JSON with HTTP on TCP port 87.

Chuckc gravatar imageChuckc ( 2025-03-25 17:09:45 +0000 )edit

I haven't been ignoring this, the forum prevents me from adding anything further. I've rebuilt my computer to try again!

OOo, it's working again!

Version 4.4.6 (v4.4.6-0-gaebb20483889).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.80.0, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
#11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.13.5, with libsmi 0.5.0, with Minizip-ng , with
QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with
binary plugins.

Running on 64-bit Windows 11 (24H2), build 26100 ...
(more)
Dash gravatar imageDash ( 2025-04-23 08:03:18 +0000 )edit

The hex dump you shared seems to be a TLV (Type/Length/Value)(BER?) response.
Decoding it as JSON (ignoring the leading Type(0x81) and Length(0x44) bytes) yields:

JavaScript Object Notation
    Ignored leading bytes: �D
    Array
        [Path with value: /[]:3]
        [Member with value: []:3]
        Number value: 3
        [Path with value: /[]:2655835427]
        [Member with value: []:2655835427]
        String value: 2655835427
        Object
            Member: currentTime
                [Path with value: /[]/currentTime:2025-04-23T08:11:57.7893909+00:00]
                [Member with value: currentTime:2025-04-23T08:11:57.7893909+00:00]
                String value: 2025-04-23T08:11:57.7893909+00:00
                Key: currentTime
                [Path: /[]/currentTime]

Can you share a capture file on a public file share and update the question with a link to it?

Note: OCR'ing the hex dump screen shot in CyberChef.
Result needs a little tweaking but better than typing in all the bytes:

Confidence: 73%

@0 8c 29 39 14 6c bc fc e7 b2 70 ...
(more)
Chuckc gravatar imageChuckc ( 2025-04-23 13:15:42 +0000 )edit