What is port filtering?
Port filtering is the way of filtering packets based on port number. To know more about filter by IP in Wireshark, please follow below link:
https://linuxhint.com/filter_by_ip_wireshark/
Intention of the article:
In this article we will try to understand some well know ports through Wireshark analysis.
What are the important ports?
There are many types of port. Here is the summary:
- Ports 0 to 1023 are Well-Known Ports.
- Ports 1024 to 49151 are Registered Ports.
- Ports 49152 to 65535 are Public Ports.
Analysis in Wireshark:
Before we use filter in Wireshark we should know what port is used for which protocol. Here are some examples:
| Protocol [Application] | Port Number |
| TCP [HTTP] | 80 |
| TCP [FTP Data] | 20 |
| TCP [FTP Control] | 21 |
| TCP/UDP [Telnet] | 23 |
| TCP/UDP [DNS] | 53 |
| UDP [DHCP] | 67,68 |
| TCP [HTTPS] | 443 |
1. Port 80: Port 80 is used by HTTP. Let’s see one HTTP packet capture.
Here 192.168.1.6 is trying to access web server where HTTP server is running. So destination port should be port 80. Now we put “tcp.port == 80” as Wireshark filter and see only packets where port is 80.
Here is the explanation screenshot
2. Port 53: Port 53 is used by DNS. Let’s see one DNS packet capture.
Here 192.168.1.6 is trying to send DNS query. So destination port should be port 53. Now we put “udp.port == 53” as Wireshark filter and see only packets where port is 53.
3. Port 443: Port 443 is used by HTTPS. Let’s see one HTTPS packet capture.
Now we put “tcp.port == 443” as Wireshark filter and see only HTTPS packets.
Here is the explanation with screenshot
4. Public/Registered port:
When we run only UDP through Iperf we can see both source and destination ports are used from registered/public ports.
Here is the screenshot with explanation
5. Port 67, 68: Port 67,68 is used by DHCP. Let’s see one DHCP packet capture.
Now we put “udp.dstport == 67 || udp.dstport == 68” as Wireshark filter and see only DHCP related packets.
Here is the explanation with screenshot
Summary:
For port filtering in Wireshark you should know the port number.
In case there is no fixed port then system uses registered or public ports. Port filter will make your analysis easy to show all packets to the selected port.
