Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Wireshark 210: Dissectors - fixedByVonnie

Wireshark 210: Dissectors

Let’s say you had a full evening to yourself.  If you’re a student, you don’t have to study.  If you’re a husband you don’t have to do the chores, if you’re a wife with kids then you don’t have to watch them.  Why?  Because someone you love and trust is taking care of all the details for you.

How would you use this redeemed time?  A student might use it to live licentiously.  A husband might use it to veg out in front of the computer.  And a wife might use her free time to get a massage.   But do you know what I would do?

I would use it to play with Wireshark!  I love analyzing packets and seeing how things work.  But Wireshark is more than an entertainment tool for geeks.  You can use it to solve problems like network latency or even use it tighten up network security.

In this guide we’re going deep into the bowels of Wireshark by demystifying dissectors.  Just like you used a knife to dissect Kermit the frog in Chemistry class, Wireshark uses special dissectors to decode captured protocols.

Diligent Dissectors

Wireshark dissectors are the workhorses that make Wireshark useful.  They decode the information at each layer of the TCP/IP model.  For example, the Ethernet dissector shows you all the frame details and the Network layer dissector shows you everything you could possibly want to know about packets.

If you’ve been using Wireshark this far then you’ve already been using dissectors. (you just didn’t realize it was called that)

For example, the network layers in the details pane are a corollary of those industrious dissectors identifying your protocols.

Wireshark DissectorsThe dissectors looks for clues in the PDUs and then make an educated guess about the type of data they see.  For example, if the dissector sees a TCP segment using well known port 80 it assumes a HTTP traffic flow.  Web traffic typically traverses port 80 so it says,

Yup, this is web traffic

Dealing with dastardly ports

Just as people aren’t perfect, Wireshark isn’t perfect either.  Sometimes Wireshark doesn’t get it right.  If someone is using a non-standard port for something Wireshark won’t be able to identify the traffic flow because it won’t know which dissector to use.

For example if someone is using a non-standard port for SSH (which is recommended because it improves security) you’ll have  a bunch of missing fields in the PDU details pane.  Or if someone uses a non-standard port for HTTP traffic it won’t show up correctly.

In the graphic below you can see my computer at is connecting to over port 2222.

What the heck is port 2222?  Good question!  I made it up.

Non-standard ports

I setup a web server at and told it to listen for incoming TCP requests on port 2222.  This really confuses the Wireshark dissector and it can’t identify the traffic as HTTP.

To fix this, right click the incorrectly identified item in the PDU list view and choose Decode As.

Wireshark Decode AS

Then select the appropriate protocol from the list and click OK.

Wireshark Decode As again

Now the correct protocol will show up in the details pane.

Wireshark Dissectors in action

That’s all for Dissectors.  In the next tutorial, you’ll learn all about Profiles but until then adios!


Connect with Vonnie on Twitter

Posted in Windows, Windows 10, Windows 7, Windows 8, Windows 8.1 Tagged with: , ,