Re: "decode as" with wireshark

[Guy Harris <guy () alum mit edu>]

On Dec 10, 2009, at 4:25 AM, Filipe Santos wrote:

> After this I decoded my UPnP ports with tshark with this code:
> tshark -r $inputfile -d tcp.port==$port,http
>
> but I want to see my capture with wireshark.
>
> Since wireshark doesn't have the -d (decode) option. How can I do it?

"Decode As..." is a menu item in Wireshark.  It's under the "Analyze" menu.

Select one of the UPnP packets, select Analyze -> Decode As..., select the "Transport" tab in the "Decode As" dialog 
that pops up, select the appropriate port (source or destination), select HTTP from the list of protocols, and click 
"OK".

Or run either Wireshark *or* TShark with the option

        -o http.tcp.port:80,3128,3132,8080,8088,11371,3689,1900,$port

although note that if you save your preferences while running Wireshark, the HTTP "TCP ports" preference will be set to 
the string in question, so that it'll dissect the port in question as HTTP.

(If you have multiple ports, append a comma-separated list of the ports to 
"http.tcp.port:80,3128,3132,8080,8088,11371,3689,1900".)

"-d" isn't currently in use as a Wireshark command-line option, so it might be worth looking into implementing it in 
the same way it's used in TShark.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe