Wireshark
the world's foremost network protocol analyzer
Wireshark-dev: Re: [Wireshark-dev] What kind of L7 protocols are dissected based on content identification?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 2 Mar 2009 09:55:46 -0800
On Mar 2, 2009, at 12:46 AM, 王睿思 wrote:
for example: supposing an packet used the protocols: "IP-TCP-RTSP", but when dissect how can the dissect_tcp() find its subdissector is dissect_rtsp(), did it's based port identification or content identification?
It depends on the protocol. In the case of RTSP, it's done by port identification; the RTSP dissector registers with the TCP dissector with two port numbers (defaulting to 554 and 8554).
Other dissectors register with various dissectors as "heuristic" dissectors; the heuristic dissectors get called, one after another, and each of them checks the beginning of the data in the packet to see if the packet looks as if it's a packet for their protocol - if it is, they dissect the packet and return TRUE, so that none of the other heuristic dissectors get called, otherwise they stop looking at the packet data and return FALSE.
Besides, is there any method to know the data type in the application layer?(e.g. if we could find the payload of RTSP is audio or video and so on)
That depends on the protocol. The payload of RTSP is an RTSP message; that message might include a Content-Type: header that indicates what the payload type for the message being set up is.
- References:
- Prev by Date: Re: [Wireshark-dev] Wireshark capture thresholds
- Next by Date: Re: [Wireshark-dev] Using a dll in a custom dissector
- Previous by thread: [Wireshark-dev] What kind of L7 protocols are dissected based on content identification?
- Next by thread: Re: [Wireshark-dev] decoding depth & capture format
- Index(es):