This is a very brief post, detailing how I learnt of a new wireshark feature.

So a colleague hands me over a pcap to help him do some quick analysis on it, quite small it was 1.2MBs. The pcap had been obtained from a compromised machine during a pentest.

Scrolling quickly I start seeing patterns in the pcap, several TCP connections to TCP port 3307.

My intuition quickly thinks of TCP port 3306, which is the default port for MySQL protocol. To confirm that I check the raw data on the TCP payload.

MySQL query

Armed with this knowledge, I start googling on how to decode protocols on non default ports, but soon I only get to long wireshark tutorials.

Fumbling around with the wireshark menu I found the solution which is quite easy.

Head over to Analyze menu --—> Decode As...

Add a new decode by clicking on the + sign at the bottom, set the field to TCP, then value to 3307 or the port that you are trying to decode, then set Current to MySQL or the protocol you suspect. Save and have fun analyzing the protocol

New Decode

And here we go, fully analyzed and dissected

Protocol successfully dissected.