Wireshark
the world's foremost network protocol analyzer
Wireshark-dev: [Wireshark-dev] Using port numbers to determine next dissector
From: Rayne <hjazz6@xxxxxxxxx>
Date: Mon, 6 Apr 2009 22:55:36 -0700 (PDT)
| Hi all, I understand that Wireshark uses 2 ways to determine what dissector to call next, in the event that there is no "Next Protocol" field or the equivalent - by looking at the port numbers of current layer, or at a list of heuristic dissectors. What happens if there are no heuristic dissectors to look at and there are other traffic that also uses the port registered to a particular protocol? For example, say ProtoA is registered to UDP port 5000. If I have some non-ProtoA traffic that also uses UDP port 5000, would these traffic be wrongly dissected by ProtoA dissector? Also, I noticed that traffic that uses TCP ports 2123 and 2152 are classified as GTP traffic (I'm using Wireshark 0.99.6). However, if I'm not wrong, the 3GPP specs state that GTP traffic only uses UDP ports 2123 and 2152, not TCP (well, GTP version 1 anyway, version 0 and GTP' can use both TCP/UDP port 3386). Thank you. |
- Follow-Ups:
- Re: [Wireshark-dev] Using port numbers to determine next dissector
- From: Guy Harris
- Re: [Wireshark-dev] Using port numbers to determine next dissector
- References:
- [Wireshark-dev] Wrong FCS in 802.11 capture
- From: Gisle Vanem
- [Wireshark-dev] Wrong FCS in 802.11 capture
- Prev by Date: [Wireshark-dev] Wrong FCS in 802.11 capture
- Next by Date: Re: [Wireshark-dev] Using port numbers to determine next dissector
- Previous by thread: [Wireshark-dev] Wrong FCS in 802.11 capture
- Next by thread: Re: [Wireshark-dev] Using port numbers to determine next dissector
- Index(es):