Wireshark · Ethereal-users: Re: [Ethereal-users] Port value

Ethereal-users: Re: [Ethereal-users] Port value

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Martin Regner" <martin.regner@xxxxxxxxx>

Date: Fri, 4 Jul 2003 21:19:45 +0200

Micahel Vanden Bossche wrote:
>Does someone knows why the source or destination port numbers sometimes
>contain a protocol name (e.g.: POP3)?
>When it happens the protocol value is TCP.

I'm not completely sure about the details but there is some kind of a port-to-service mapping in many OSes, I think.

On my Windows 98 PC this seems to be based on the file C:\Windows\Services
(I just tried with adding some new services to that file and they where actually used later on - I haven't tried that before).

In Unix/Linux it's the /etc/services file that is used.

This also means than you can use a capture filter "tcp port \michel" if michel is defined in the Services file.

If you have "Enable transport name resolution" enabled in "Edit/Preferences.../Name Resolution" then the port numbers will
normally be mapped according to the entries in the Services file and shown with their corresponding names.

The port-to-service mapping can be useful if Ethereal doesn't recognize a certain protocol or you expect that the protocol is mis-interperted or
similar. Instead of having to look up the port numbers in the IANA tables manually you can get it automatically if the services
file contains the information.

However just because IANA has registered the port number it's not sure that the port is only used for that protocol, so
you should use the information with care - and maybe also update the file to suit your specific network.

My services file contain just a few entries right now.

Some other people are using a services file with many entries:
http://www.ethereal.com/lists/ethereal-dev/199912/msg00339.html

I would probably base mine on the latest IANA list (but probably edit some of the entries):
http://www.iana.org/assignments/port-numbers

For a TCP connection the client side of the connection will normally use any port value in the range 1024 - 30000, or similar.
So you will normally get several false indications for the client side for a TCP connection, and sometimes also for the server side.

Port number 5000 is reserved for commplex-main but is often used for other services also (Sybase databases, ....).

There are protocols as for example RTP that can be sent on almost any UDP port number (1024 and upwards).

Ethereal uses different methods to decide what protocol dissector should be called - in some cases it's the tcp/udp port numbers that
are used to determine that. There is also something that is called heursitic dissectors that e.g. looks on the octet data to see
if it looks like a certain protocol.

Please note that the port number column can be either "Port number (resolved)" or "Port number (unresolved)", so you can get either of them
or both in the summary printout if you add/edit the columns with Edit/Preferences.../Columns.

Prev by Date: [Ethereal-users] Port value
Next by Date: Re: [Ethereal-users] very slow network
Previous by thread: [Ethereal-users] Port value
Next by thread: [Ethereal-users] Capture speed
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$