{"id":198,"date":"2025-02-17T12:24:56","date_gmt":"2025-02-17T15:24:56","guid":{"rendered":"https:\/\/vargolino.com\/wp\/?p=198"},"modified":"2025-02-21T11:06:14","modified_gmt":"2025-02-21T14:06:14","slug":"change-decode-as-of-a-port-range-in-wireshark","status":"publish","type":"post","link":"https:\/\/vargolino.com\/wp\/?p=198","title":{"rendered":"Change “Decode as…” of a port range in Wireshark"},"content":{"rendered":"\n

When analyzing a network capture it is common to need to change how a stream is being treated by Wireshark, either because the port assignment is dynamic or is not supported, or both.<\/p>\n\n\n\n

It is possible to change this, one stream at a time, and each time the whole capture needs to be rescanned. This time can add up.<\/p>\n\n\n\n

This is an example of how to change the internal dissector of a UDP port range (30000-60000) to RTP.<\/p>\n\n\n\n

Open the menu, Tools > Lua Console<\/code><\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Paste this code:<\/p>\n\n\n\n

local udp_port = DissectorTable.get(\"udp.port\")\nlocal rtp = Dissector.get(\"rtp\")\nudp_port:add(\"30000-60000\", rtp)\nreload_lua_plugins()\nprint(\"Done\")<\/code><\/pre>\n\n\n\n
Click Evaluate<\/code><\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
It will rescan the file and all UDP streams in the range will be interpreted as an RTP stream.<\/p>\n\n\n\n
This was based on the example available here:
https:\/\/wiki.wireshark.org\/Lua\/Examples#using-lua-to-register-protocols-to-more-ports<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
When analyzing a network capture it is common to need to change how a stream is being treated by Wireshark, either because the port assignment is dynamic or is not supported, or both. It is possible to change this, one stream at a time, and each time the whole capture needs to be rescanned. This … <\/p>\n
Continue reading “Change “Decode as…” of a port range in Wireshark”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[7],"class_list":["post-198","post","type-post","status-publish","format-standard","hentry","category-solution","tag-howto","entry"],"_links":{"self":[{"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/198","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=198"}],"version-history":[{"count":5,"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/198\/revisions"}],"predecessor-version":[{"id":210,"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/198\/revisions\/210"}],"wp:attachment":[{"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vargolino.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}