Wireshark-dev: Re: [Wireshark-dev] Not able to apply diaplay filter for Gnutella

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Fri, 27 Apr 2007 15:19:57 +0800


S H wrote:
Thanks for the reply.
I have 2 Gnutella clients Bearshare and Limewire. I start these P2P applications. start Wireshark sniffing tool, and capture packets. I want to sort these captured packets by protocol name. I tried "gnutella" string as a display filter. It filtered out all the packet, the result is nothing. But if I sort packets by port number, I am getting some result for ex if I applied tcp.port==6346 (Gnutella port number), as a display filter, I am getting filtered output with port number 6346. I tried Kazaa also, no result with the protocol name. Bittorrent is working with "bittorrent" as a display filter string.

Hmm, the Gnutella dissector registers for TCP port 6346 so it looks like it should be picking up those packets. What is Wireshark labeling those packets on port 6346? (What does the Info column say?)

Do you have the TCP option "Try heuristic subdissectors first?" (Edit->Preferences->Protocols->TCP) turned on? If so, try turning it off.

If that doesn't help you could try sending a small sample capture to the mailing list.