Wireshark mailing list archives
Re: Wireshark Date interpretation (Alexander Schunk)
From: Paula Dufour <psdufour () gmail com>
Date: Sat, 12 Mar 2011 16:19:12 -0500
Message: 3 From: Alexander Schunk sysconsultcompany () googlemail com Alexander>How can i detect the protocol? I need this for jurisdictional purposes. When you use "netstat" the first column will tell you whether it is TCP. If you use "netstat -a", you'll see something similar to the following: C:\Windows\SYSTEM32>netstat Active Connections Proto Local Address Foreign Address State --------------------------------------------------------------------------------------------- TCP 192.168.0.197:51273 iad04s01-in-f189:https ESTABLISHED --------------------------------------------------------------------------------------------- Here we have: TCP conversation 192.168.0.197:51273 iad04s01-in-f189:https host_IP:PORT 51273 is a randomly selected port based on what's available on the localhost https is the label that is defined by c:\windows\system32\drivers\etc\services To see what comes out of the services file, just: C:\Windows\System32\drivers\etc>findstr https services https 443/tcp MCom #HTTP over TLS/SSL https 443/udp MCom #HTTP over TLS/SSL In this case the state is ESTABLISHED, there are several other states and there are flow charts in several textbooks that show how the tcp protocol changes state and under what conditions. UDP is a little different as it doesn't have a state. So it looks something like this: UDP 192.168.0.197:137 *:* UDP 192.168.0.197:138 *:* UDP 192.168.0.197:2177 *:* Here's how you define the protocol for the well known UDP services C:\Windows\System32\drivers\etc>findstr 13[78] services netbios-ns 137/tcp nbname #NETBIOS Name Service netbios-ns 137/udp nbname #NETBIOS Name Service netbios-dgm 138/udp nbdatagram #NETBIOS Datagram Service C:\Windows\System32\drivers\etc>findstr 2177 services qwave 2177/tcp #QWAVE qwave 2177/udp #QWAVE Experiment Port BTW:[MS-QDP]: Quality Windows Audio/Video Experience (qWave) The c:\windows\system32\drivers\etc\services will contain any protocol/port pair that Microsoft decided should be in there. You can edit this file and define any protocol/port pair you need to describe the services your enterprise provides. Hope I didn't guild the lily, Paula
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Wireshark Date interpretation (Alexander Schunk) Paula Dufour (Mar 12)