How to Permanently Configure Wireshark to Decode Custom Port (9191) as HTTP Protocol


1 views

When analyzing web traffic that uses non-standard ports (like 9191 instead of default HTTP port 80), Wireshark won't automatically decode the traffic as HTTP. This requires manual configuration to properly interpret the protocol.

The Decode As feature works for current sessions but doesn't persist between Wireshark restarts. For continuous monitoring of proxy traffic on port 9191, we need a more permanent solution.

For a user-specific permanent setting:

1. Go to Edit → Preferences
2. Select "Protocols" in the left panel
3. Scroll to and select "HTTP"
4. In "TCP ports", add "9191" (comma-separated if multiple ports)
5. Click OK to save

For system-wide changes or advanced configuration, edit Wireshark's preferences file:

# Linux/macOS: ~/.config/wireshark/preferences
# Windows: %APPDATA%\Wireshark\preferences

# Add this line:
http.tcp.ports: 80,9191

After making changes:

  1. Restart Wireshark
  2. Capture traffic on port 9191
  3. Check if packets show as HTTP in the protocol column
  4. Right-click a packet → Follow → TCP Stream should show decoded HTTP

For complete conversation decoding:

  • Ensure both client and server ports are included
  • For dynamic ports, you may need to specify port ranges
  • Use display filters like tcp.port==9191 to focus on proxy traffic

If problems persist:

  • Check for port conflicts in other protocol settings
  • Verify no SSL/TLS encryption is being used (would require different decoding)
  • Test with known HTTP traffic first to validate the configuration

When analyzing web traffic in Wireshark, we often encounter situations where HTTP traffic runs on non-standard ports. While Wireshark automatically decodes port 80 as HTTP, custom ports like 9191 (common for web proxies) require manual configuration. The temporary "Decode As" feature works but doesn't persist between sessions.

To make Wireshark permanently recognize port 9191 as HTTP:

  1. Navigate to Edit → Preferences → Protocols → HTTP
  2. In the "TCP Ports" field, append ,9191 to the existing ports
  3. Click OK to save the configuration

After configuration, capture some traffic on port 9191. Right-click any packet and select "Follow → TCP Stream". You should see properly formatted HTTP headers and content. For example:

GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html

For more complex scenarios, you can create decode rules in Wireshark's configuration files. Edit preferences in your Wireshark profile directory:

# In wireshark/preferences
http.tcp.ports: 80,8080,9191,8888

If decoding doesn't work:

  • Ensure no SSL/TLS encryption is present (or configure SSL decryption)
  • Verify the traffic is actually HTTP protocol
  • Check for port conflicts in Wireshark's protocol preferences

For enterprise deployments, you can script this configuration using Wireshark's command-line options or by distributing custom preference files. Example batch command:

@echo off
set WS_PROFILE=%APPDATA%\Wireshark
echo http.tcp.ports: 80,8080,9191 >> "%WS_PROFILE%\preferences"