I'm trying to monitor some web traffic using wireshark. Our web proxy is on port 9191. How can I get the wireshark view to treat port 9191 just like port 80 - ie as HTTP.
Just using Decode_As on the menu seems to allow half the conversation but only one side.
Any suggestions how to make this a permanent option?
-
If you go to Edit -> Preferences -> Protocols -> HTTP, you should find a list of ports that are considered to be HTTP. Add port 9191 to that list. I believe you have to re-start Wireshark and re-open your capture file or re-start your capture for this to take effect.
This is on the Windows version 1.0.3; it might be slightly different on other platforms. Obviously this isn't a generic way to alter the port to protocol mappings, but the authors of the http decoder seem to have recognized that people run it on many different ports.
From James F -
That's because it's only set up to decode it if one of the sides of the conversation is on port 9191.
You need to set it so it reads, "TCP Both". That way it'll decode TCP/9191 traffic as HTTP if the source port is 9191 or if the destination port is 9191.
From sysadmin1138 -
sysadmin1138 and James F's responses are both correct. James' response is probably "more correct" in this case since changes to the HTTP protocol preferences are sticky between runs of Wireshark. In version 1.2.0 and above, you can quickly jump to protocol prefs by right-clicking on items in the packet detail (middle) pane.
(Disclosure: I'm the lead developer)
From Gerald Combs
0 comments:
Post a Comment