Wireshark-users: Re: [Wireshark-users] Wireshark Date interpretation (Alexander Schunk)

From: Paula Dufour <psdufour@xxxxxxxxx>
Date: Sat, 12 Mar 2011 16:19:12 -0500
Message: 3
From: Alexander Schunk sysconsultcompany@xxxxxxxxxxxxxx
Alexander>How can i detect the protocol?  I need this for jurisdictional purposes.
When you use "netstat" the first column will tell you whether it is TCP.
If you use "netstat -a", you'll see something similar to the following:
C:\Windows\SYSTEM32>netstat
Active Connections
  Proto  Local Address          Foreign Address        State
---------------------------------------------------------------------------------------------
TCP    192.168.0.197:51273    iad04s01-in-f189:https  ESTABLISHED
---------------------------------------------------------------------------------------------
Here we have:
TCP conversation 192.168.0.197:51273    iad04s01-in-f189:https 
host_IP:PORT
51273 is a randomly selected port based on what's available on the localhost
https is the label that is defined by c:\windows\system32\drivers\etc\services
To see what comes out of the services file, just:
C:\Windows\System32\drivers\etc>findstr https services
https             443/tcp    MCom                   #HTTP over TLS/SSL
https             443/udp    MCom                   #HTTP over TLS/SSL
In this case the state is ESTABLISHED, there are several other states and
there are flow charts in several textbooks that show how the tcp protocol
changes state and under what conditions.
UDP is a little different as it doesn't have a state.  So it looks something like this:
UDP    192.168.0.197:137      *:*
UDP    192.168.0.197:138      *:*
UDP    192.168.0.197:2177     *:*

Here's how you define the protocol for the well known UDP services
C:\Windows\System32\drivers\etc>findstr 13[78] services
netbios-ns        137/tcp    nbname                 #NETBIOS Name Service
netbios-ns        137/udp    nbname                 #NETBIOS Name Service
netbios-dgm       138/udp    nbdatagram             #NETBIOS Datagram Service
C:\Windows\System32\drivers\etc>findstr 2177 services
qwave            2177/tcp                           #QWAVE
qwave            2177/udp                           #QWAVE Experiment Port
 
BTW:[MS-QDP]: Quality Windows Audio/Video Experience (qWave)
The c:\windows\system32\drivers\etc\services will contain any protocol/port pair that Microsoft decided should be in there.  You can edit this file and define any protocol/port pair you need to describe the services your enterprise provides.
Hope I didn't guild the lily,
Paula