Wireshark
the world's foremost network protocol analyzer
Wireshark-dev: Re: [Wireshark-dev] how recognise a udp packet data part is sip packet?
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Tue, 2 Jun 2009 14:04:43 -0600
On Tue, Jun 02, 2009 at 05:44:45PM +0800, zhangchuangde@xxxxxxxxxxxxxxx wrote: > I know when a tcp/udp/tls packet's port is 5060/5061, the protocol > analyzer will dissect it into sip protocol. > however, as the first packet in the accessory, its src port is 6304 > and dst port is 6090, and this packet is also dissected into sip > protocol.how wireshark know this packet is a sip packet? > can you tell me how and why? thanks a lot! The SIP dissector not only registers itself on ports 5060 & 5061, but it also registers itself as a heuristic dissector. A heuristic dissector looks at all specified packets (in SIP's case this is udp, tcp, sctp and stun2) and makes an attempt to determine if that each packet is a SIP packet no matter what port it is on. This is how it is finding SIP on other ports. Steve
- References:
- [Wireshark-dev] how recognise a udp packet data part is sip packet?
- From: zhangchuangde
- [Wireshark-dev] how recognise a udp packet data part is sip packet?
- Prev by Date: [Wireshark-dev] buildbot failure in Wireshark (development) on OSX-10.5-x86
- Next by Date: Re: [Wireshark-dev] Wireshark can't read PcapNG file
- Previous by thread: [Wireshark-dev] 答复: how recognise a udp packet data part is sip packet?
- Next by thread: [Wireshark-dev] Help decrypting 802.1x PEAP Traffic
- Index(es):