Layer 3 Protocol only in wireshark

protocolswireshark

I have a simple question:

is there any way in wireshark to avoid resolution of protocol besides the protocol of layer 3 ?

For example, in the column protocol, instead of showing http, I want it to show TCP or it's value (6).

I can see in menu analyse / enabled protocols we can disable one by one, but for very big traces with lots of differente protocols like "eDonkey" "QUAKE" etc, it's costs a lot of time…

Best Answer

In the latest wireshark (1.8 or so) at least, after opening the "Enabled Protocols..." dialog, you can just click on "Disable All" and then enable only the few protocols that you need. Mostly this will be:

SLL - Linux cooked-mode capture - so you can read the file
IPv4 (or IPv6) - your layer 2 protocols
TCP, UDP, ARP - your layer 3 protocols

Clicking on about six checkboxes is not too bad, is it?

Related Solutions

Wireshark – Changing Protocol Associated with Port

If you go to Edit -> Preferences -> Protocols -> HTTP, you should find a list of ports that are considered to be HTTP. Add port 9191 to that list. I believe you have to re-start Wireshark and re-open your capture file or re-start your capture for this to take effect.

This is on the Windows version 1.0.3; it might be slightly different on other platforms. Obviously this isn't a generic way to alter the port to protocol mappings, but the authors of the http decoder seem to have recognized that people run it on many different ports.

How to filter http traffic in Wireshark

Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of:

icmp

and a display filter of:

icmp.type == 8 || icmp.type == 0

For HTTP, you can use a capture filter of:

tcp port 80

or a display filter of:

tcp.port == 80

or:

http

Note that a filter of http is not equivalent to the other two, which will include handshake and termination packets.

If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. For example, to capture only packets sent to port 80, use:

dst tcp port 80

Couple that with an http display filter, or use:

tcp.dstport == 80 && http

For more on capture filters, read "Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. For display filters, try the display filters page on the Wireshark wiki. The "Filter Expression" dialog box can help you build display filters.

Best Answer

Related Solutions

Wireshark – Changing Protocol Associated with Port

How to filter http traffic in Wireshark

Related Topic