This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dicom transfers

1

A lot of dicom transfers happen on tcp ports other than port 104. Is there a way to change this port within the dicom expression filter, or copy the filter and change the port that the expression looks at.

asked 17 Apr '11, 20:55

Vern's gravatar image

Vern
16112
accept rate: 0%


One Answer:

2

The filter is irrelevant to the port for DICOM. A filter does a lot less than some people appear to think it does - it just lets you test whether, in a particular packet, a given field is present, or lets you test the value of the field. It does not let you change the way a packet is dissected, or change what particular ports are dissected as.

To change the port or ports that are dissected as DICOM, change the DICOM "DICOM Ports" preference or the DICOM "Search on any TCP port" preference. To change the preferences for DICOM, select "Preferences" from the "Edit" menu, open up the "Protocols" list, and select "DICOM" from the list of protocols. The "DICOM Ports" preference can be set to a single port number, a port range (two port numbers with a hyphen between them, specifying all port numbers starting with the first and ending with the second, or a comma-separated list of port numbers or port ranges. If you turn on the "Search on any TCP port" preference, Wireshark will attempt to recognize DICOM packets on any TCP port; it may fail to recognize them, or it may mistakenly think some non-DICOM packet are DICOM packets (computers aren't necessarily very smart at doing that kind of packet recognition).

answered 17 Apr '11, 22:14

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%