Wireshark-users: Re: [Wireshark-users] Detecting protocol headers

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 6 Mar 2009 10:55:21 -0800

On Mar 6, 2009, at 10:08 AM, Stephen Fisher wrote:

Take a look at epan/dissectors/packet-udp.c in the source code.  In

particular, the decode_udp_ports() function. The UDP dissector follows the general method for finding the next dissector to call. In the case

of UDP, it uses the port number to find which dissector(s) has

registered itself on that udp port and then calls it. If there is more

than one, it is expected that each one will do a heuristic check of
(usually) the first few bytes of the packet to determine if it should
accept the packet and if not, Wireshark gives it to the next dissector
registered on that port to see if it will accept it with a heuristic
check.

In addition, the UDP dissector has a list of purely-heuristic dissectors; depending on the setting of a preference, those are either called, one after another, before the UDP dissector tries dissectors based on port numbers (so that a heuristic dissector can grab traffic even if one of the ports it's coming from or going to has a UDP dissector for it) or after the UDP dissector tries dissectors based on port numbers. The heuristic dissectors are called regardless of the port number; they also check (usually) the first few bytes of the packet to decide if it should accept it or not.