Keith French wrote:
> When a TCP session is initialised or closed, the TCP SYN & FIN
> handshakes shows the port numbers at the start of the Info column in the
> Summary view within Wireshark. This always used to take the format (in
> the case of a SYN) of the unresolved source port followed by the
> destination resolved port. So you might see something like:-
>
> 4000 > http [SYN]
>
> In recent versions of Wireshark this behaviour seems to have changed, in
> that it tries to resolve the source port of the SYN as well. The name it
> resolves it to (on my PC anyway) is often misleading:-
>
> qsnet-trans > http [SYN]
>
> I have looked in the preferences, but cannot find anywhere to force the
> info column to display this port unresolved (i.e. just it's port number).
>
> Is there a way to do this?
I know you use Windows.
Assuming a recent enough version of Wireshark, there is a file called
"C:\Program Files\Wireshark\services"
Delete the lines for port numbers other than those services in which you
are interested.
Personally, I edit the registry and add these keys and values, so that
Windows behaves more like Unix, and then no well-known ports get used as
ephemerals.:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"MaxUserPort"=dword:0000bfff
"ReservedPorts"=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,\
00,00,31,00,30,00,32,00,35,00,2d,00,33,00,32,00,37,00,36,00,37,00,00,00,00,\
00
In human readable form:
"MaxUserPort" Type:REG_DWORD Data: bfff(hex) 49151(decimal)
"ReservedPorts" Type: REG_MULTI_SZ Data: 1433-1434<enter>1025-32767
but that could be simplified to:
"ReservedPorts" Type: REG_MULTI_SZ Data: 1025-32767
--
There's no point in being grown up if you can't be childish sometimes.
-- Dr. Who
