This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark101: Adding nonstandard port to dissector not working?

0

I am going through the "Wireshark101" book and Lab 5 has the reader add port 81 to the list of ports to be dissected as HTTP (under "Preferences, Protocols, HTTP"). I added port 81 to the list of ports to be dissected as HTTP but nothing has changed in the screen output. The sample file is "http-nonstandard101.pcapng", which has an HTTP session over port 81. But after adding port 81 to the list of HTTP ports Wireshark still dissects port 81 as "hosts2-ns". I've tried 3 different versions of Wireshark all with the same result. Is there something I am missing?

asked 18 Oct '13, 08:30

Marc%20Ferreira's gravatar image

Marc Ferreira
11112
accept rate: 0%


2 Answers:

0

Sounds to me like Wireshark has other settings forcing it to decode the port as something else. I don't know why port 81 is called "hosts2-ns" - this isn't something that comes from the services file, maybe you set it yourself at some point? The name also sounds more like a host name, not a port name.

You might want to check if you force any kind of decoding: go to "Analyze - Decode As" (with a trace being loaded, otherwise it is greyed out) and use the "Clear" button to reset the decodings. You can verify that there is no decode forcing by using the "Show Current" button.

answered 18 Oct '13, 08:48

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper. I didn't set any decoding manually but I did open this screen and tried telling it to decode destination port 81 as HTTP and that still made no difference. Then I hit "Clear" and verified in the "Show Current" screen that it did clear. I found "hosts2-ns" listed as one possible user of port 81 on speedguide.net but yes it is unassigned by IANA. Any other ideas as to why this function would not be working according to "the book"?

(18 Oct '13, 10:17) Marc Ferreira

0

But after adding port 81 to the list of HTTP ports Wireshark still dissects port 81 as "hosts2-ns".

Apparently this is mentioned in the book.

http://www.wiresharkbook.com/101_samplepages/9781893939721-page60.pdf

However: There is no 'hosts2-ns' definition in the Wireshark services file, at least not since 1.6 (I did not check earlier versions). As the screenshot in the book shows 'hosts2-ns' as well, the author either used an older version of Wireshark or its own services file.

Anyway, if you add the port to the HTTP preferences, Wireshark will dissect port 81 as HTTP unless the HTTP dissector is disabled (Analyze -> Enabled Protocols -> HTTP)

Edit -> Preferences -> Protocols ->HTTP -> TCP Ports

Click on Apply and OK.

Regards
Kurt

answered 18 Oct '13, 10:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Oct '13, 11:27

Thanks Kurt. Yes I'm following the book and added 81 to the list of ports under Edit->Preferences->Protocols->HTTP->TCP Ports but it had no effect. I'm using 1.10.2 32-bit, I've tried the 64-bit version (first), and 1.8 as well.

(18 Oct '13, 10:21) Marc Ferreira

what is your OS?

(18 Oct '13, 10:26) Kurt Knochner ♦

Windows 7 Enterprise SP1.

(18 Oct '13, 10:59) Marc Ferreira

Did you close and re-open Wireshark (should not be necessary, but ...)?

(18 Oct '13, 11:01) Kurt Knochner ♦

Yes I tried re-loading the file, then closing and re-starting Wireshark. Port 81 still shows in the list of HTTP ports but the "Protocol" column still says TCP and the Destination Port is still interpreted as "hosts2-ns".

(18 Oct '13, 11:10) Marc Ferreira

And you did not disable the HTTP dissector, right?

Analyze -> Enabled Protocols -> HTTP

(18 Oct '13, 11:25) Kurt Knochner ♦
showing 5 of 6 show 1 more comments