|
When a TCP session is initialised or closed, the
TCP SYN & FIN handshakes shows the port numbers at the start of the Info
column in the Summary view within Wireshark. This always used to take the format
(in the case of a SYN) of the unresolved source port followed by the destination
resolved port. So you might see something like:-
4000 > http [SYN]
In recent versions of Wireshark this behaviour
seems to have changed, in that it tries to resolve the source port of the SYN as
well. The name it resolves it to (on my PC anyway) is often
misleading:-
qsnet-trans > http [SYN]
I have looked in the preferences, but cannot find
anywhere to force the info column to display this port unresolved (i.e. just
it's port number).
Is there a way to do this?
Keith French.
|