John Walsh has asked how to configure Wireshark to treat traffic on port
1445 the same as traffic on port 445 (For example: "CIFS" aka SMB over TCP).
(see http://www.wireshark.org/lists/wireshark-users/200811/msg00167.html)
I've replied that this is currently not possible.
Looking at the code:
Wireshark registers TCP port 445 as (what I'll call) a "null" variant of
Netbios Session Service.
(The "null" variant is just a 4 byte framing header).
SMB/SMB2 are then considered be two possible protocols running over NBSS
(either the normal NBSS or the "null" version"). (
The code is written such that *only* traffic seen on port 445 will be
treated as the 4 byte framing header followed by a protocol such as
SMB/SMB2/MQ. Using NBSS for "decode as" will not work).
One approach to allowing the use of "decode-as" for the variant
registered to tcp port 445:
In packet-nbns.c
Register a new protocol:
Call it ??? (microsoft-ds ???)
Change the code so that there is a dissect_nbss and a dissect_???
The first calls the common main nbss code with an argument
is_cifs as FALSE; the second with an argument is_cifs = TRUE.
I believe the above would then allow a port other than 445 to
be dissected the same as port 445 (via decode-as for
the ??? protocol).
Will using this be confusing to those not familiar with the exact
details of the protocol layering ??
or:
Simpler: just provide a NBSS preference to set the
(??? "microsoft-ds) port (default of 445).
(The IANA port assignment document assigns port 445 (both TCP
& UDP) to "Microsoft-DS").
Comments ??
Bill