Wireshark-users: Re: [Wireshark-users] "decode as" with wireshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 10 Dec 2009 19:53:33 -0800

On Dec 10, 2009, at 4:25 AM, Filipe Santos wrote:

> After this I decoded my UPnP ports with tshark with this code:
> tshark -r $inputfile -d tcp.port==$port,http
> 
> but I want to see my capture with wireshark.
> 
> Since wireshark doesn't have the -d (decode) option. How can I do it?

"Decode As..." is a menu item in Wireshark.  It's under the "Analyze" menu.

Select one of the UPnP packets, select Analyze -> Decode As..., select the "Transport" tab in the "Decode As" dialog that pops up, select the appropriate port (source or destination), select HTTP from the list of protocols, and click "OK".

Or run either Wireshark *or* TShark with the option

	-o http.tcp.port:80,3128,3132,8080,8088,11371,3689,1900,$port

although note that if you save your preferences while running Wireshark, the HTTP "TCP ports" preference will be set to the string in question, so that it'll dissect the port in question as HTTP.

(If you have multiple ports, append a comma-separated list of the ports to "http.tcp.port:80,3128,3132,8080,8088,11371,3689,1900".)

"-d" isn't currently in use as a Wireshark command-line option, so it might be worth looking into implementing it in the same way it's used in TShark.