Wireshark-dev: Re: [Wireshark-dev] Protocol identification for msnms
From: "Trivedi, Nirav" <[email protected]>
Date: Wed, 13 Dec 2006 10:53:10 -0500
Thanks!  If I wanted to look at other protocols and how the
identification is made for each one, is there an easier way than to
read through source code?  Is the information published somewhere?

-Nirav
 

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of ronnie
sahlberg
Sent: Tuesday, December 12, 2006 6:39 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Protocol identification for msnms

wireshark detects when msnms is transported atop HTTP by looking at
the content-type of the HTTP header.

If content-type is "application/x-msn-messenger" then the payload
inside the HTTP packet is deemed to be msnms.

see proto_reg_handoff_msnms() in packet-msn-messenger.c



On 12/12/06, Trivedi, Nirav <[email protected]> wrote:
> Applying the filter: msnms  filters out the MSNMS protocol messages
> regardless of the port number being used.  How is this done?
>
> Example: In cases where the port number is 80 instead of 1863 which
is
> the default for MSNMS(i.e. tunneling the MSNMS protocol through
HTTP),
> wireshark is still able to identify the protocol as MSNMS and not
just
> HTTP.  From a development standpoint, how is this identification
made?
> Is it a deep packet inspection looking for a particular pattern in
the
> application layer data?  If so, what pattern?  Thanks.
>
> -Nirav Trivedi
>
>
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev