Is it possible to change the decoding priority when ports conflict?

asked 2025-12-25 10:25:49 +0000

Roger Sun gravatar image

When parsing 4G and 5G packets, lots of 5G http2 messages will be sent from NF consumer. Normally such NF consumer will have a port scale as client, not only for http2 in 5G but also for like diameter in 4G.

For example, NF consumer client port scale is 60001~61000. As majority of such messages in 5G are http2, so we configured protocol http2 in Wireshark with port scale 60001~65535 for tcp, diameter port scale is 3867~3869 for tcp. When a packet source port is 60001, destination port is 3868, this shall be a diameter message. But wireshark will decode it as http2(though it will be displayed as tcp packet) other than diameter. So every time when we need analyze diameter packets we have to remove the configured tcp port scale from http2; while in analyzing http2 packets we need add them back.

Is it possible to make the diameter decoding prioritized over http2, so that when a packet matches port scale of both http2 and diameter, it will be decoded as diameter message. Or make it configurable on which is prioritized, diameter or http2.

Thanks!

edit retag flag offensive close merge delete

Comments

You mention "port scale" several times, do you mean "port range"?

grahamb gravatar imagegrahamb ( 2025-12-25 22:51:45 +0000 )edit

Can you update the question with the output of wireshark -v.

Are you running a current version of Wireshark?
Does your capture include the TCP handshake?
18044: TCP: Don't use client port for dissector selection

Related discussions:
19637: Decoding errors with TCP carrying SIP when source port is 2152 and destination port is 5060
9469: Patch: set dissector for a specific source+dest port combination

Chuckc gravatar imageChuckc ( 2025-12-26 02:25:16 +0000 )edit

Hi, thanks for the comments.

(1) You mention "port scale" several times, do you mean "port range"? [Roger] Yes, I mean port range.

(2) Can you update the question with the output of wireshark -v.

c:\Program Files\Wireshark>"Wireshark.exe" -v

c:\Program Files\Wireshark>

Wireshark 4.6.2 (v4.6.2-0-g24d5e2b5a3dc).

Copyright 1998-2025 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compile-time info:
 Bit width: 64-bit
  Compiler: Microsoft Visual Studio 2022 (VC++ 14.44, build 35221)
      GLib: 2.84.2
 With:
  +automatic updates          +nghttp2 1.65.0
  +brotli                     +nghttp3 1.8.0
  +Gcrypt 1.11.2-unknown      +PCRE2 10.45 2025-02-05
  +GnuTLS 3.8.11 and PKCS#11  +Qt 6 ...
(more)
Roger Sun gravatar imageRoger Sun ( 2025-12-27 12:57:08 +0000 )edit

(3) Are you running a current version of Wireshark? (4) Does your capture include the TCP handshake?

Roger Sun gravatar imageRoger Sun ( 2025-12-27 12:58:51 +0000 )edit

Thanks - that is the current release version.
Is the TCP handshake captured?

Chuckc gravatar imageChuckc ( 2025-12-27 15:01:49 +0000 )edit
see more comments