Wireshark
the world's foremost network protocol analyzer
Wireshark-users: Re: [Wireshark-users] Protocol Identification using Payload Content
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 5 May 2008 16:52:35 -0700
On May 5, 2008, at 4:43 PM, Isara Anantavrasilp wrote:
So, you mean that when Wireshark tells me that packet X belongs to protocol Y, it doesnt use just transportation port?
Correct. There are many protocols that run atop TCP or UDP that aren't assigned to particular ports but that Wireshark needs to identify in packets.
I suppose I should look at the Wireshark code then.I hate to ask, but does anyone know where (roughly) these heuristics are?I believe they must be stored on some files, right?
The heuristics for a particular dissector are in the source code for that dissector. Look for dissectors whose registration routine calls heur_dissector_add().
The heuristics do *NOT* necessarily just look for a particular "signature". Not all protocols have a simple "signature"; a heuristic might check for packet lengths, the values of various fields, or both.
- References:
- [Wireshark-users] Protocol Identification using Payload Content
- From: Isara Anantavrasilp
- Re: [Wireshark-users] Protocol Identification using Payload Content
- From: Sake Blok
- Re: [Wireshark-users] Protocol Identification using Payload Content
- From: Isara Anantavrasilp
- [Wireshark-users] Protocol Identification using Payload Content
- Prev by Date: Re: [Wireshark-users] Protocol Identification using Payload Content
- Next by Date: Re: [Wireshark-users] HTTP/HTTPs sniffer
- Previous by thread: Re: [Wireshark-users] Protocol Identification using Payload Content
- Next by thread: [Wireshark-users] Tshark hardware requirements to capture all network traffic?
- Index(es):