Wireshark-dev: Re: [Wireshark-dev] What kind of L7 protocols are dissected based on content ide
From: Guy Harris <[email protected]>
Date: Mon, 2 Mar 2009 09:55:46 -0800
On Mar 2, 2009, at 12:46 AM, 王睿思 wrote:

  for example: supposing an  packet used the protocols:
"IP-TCP-RTSP",  but when dissect how can the dissect_tcp() find its
subdissector is dissect_rtsp(), did it's based port identification or
content identification?
It depends on the protocol.  In the case of RTSP, it's done by port  
identification; the RTSP dissector registers with the TCP dissector  
with two port numbers (defaulting to 554 and 8554).
Other dissectors register with various dissectors as "heuristic"  
dissectors; the heuristic dissectors get called, one after another,  
and each of them checks the beginning of the data in the packet to see  
if the packet looks as if it's a packet for their protocol - if it is,  
they dissect the packet and return TRUE, so that none of the other  
heuristic dissectors get called, otherwise they stop looking at the  
packet data and return FALSE.
 Besides, is there any method to know the data type in the
application layer?(e.g. if we could find the payload of RTSP is audio
or video and so on)
That depends on the protocol.  The payload of RTSP is an RTSP message;  
that message might include a Content-Type: header that indicates what  
the payload type for the message being set up is.