Keith French wrote: > When a TCP session is initialised or closed, the TCP SYN & FIN > handshakes shows the port numbers at the start of the Info column in the > Summary view within Wireshark. This always used to take the format (in > the case of a SYN) of the unresolved source port followed by the > destination resolved port. So you might see something like:- > > 4000 > http [SYN] > > In recent versions of Wireshark this behaviour seems to have changed, in > that it tries to resolve the source port of the SYN as well. The name it > resolves it to (on my PC anyway) is often misleading:- > > qsnet-trans > http [SYN] > > I have looked in the preferences, but cannot find anywhere to force the > info column to display this port unresolved (i.e. just it's port number). > > Is there a way to do this?
I know you use Windows. Assuming a recent enough version of Wireshark, there is a file called "C:\Program Files\Wireshark\services" Delete the lines for port numbers other than those services in which you are interested. Personally, I edit the registry and add these keys and values, so that Windows behaves more like Unix, and then no well-known ports get used as ephemerals.: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "MaxUserPort"=dword:0000bfff "ReservedPorts"=hex(7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,\ 00,00,31,00,30,00,32,00,35,00,2d,00,33,00,32,00,37,00,36,00,37,00,00,00,00,\ 00 In human readable form: "MaxUserPort" Type:REG_DWORD Data: bfff(hex) 49151(decimal) "ReservedPorts" Type: REG_MULTI_SZ Data: 1433-1434<enter>1025-32767 but that could be simplified to: "ReservedPorts" Type: REG_MULTI_SZ Data: 1025-32767 -- There's no point in being grown up if you can't be childish sometimes. -- Dr. Who _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users