Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] how recognise a udp packet data part is sip packet?

From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Tue, 2 Jun 2009 14:04:43 -0600
On Tue, Jun 02, 2009 at 05:44:45PM +0800, zhangchuangde@xxxxxxxxxxxxxxx wrote:

> I know when a tcp/udp/tls packet's port is 5060/5061, the protocol 
> analyzer will dissect it into sip protocol.

>  however, as the first packet in the accessory, its src port is 6304 
> and dst port is 6090, and this packet is also dissected into sip 
> protocol.how wireshark know this packet is a sip packet?

>  can you tell me how and why? thanks a lot!

The SIP dissector not only registers itself on ports 5060 & 5061, but it 
also registers itself as a heuristic dissector.  A heuristic dissector 
looks at all specified packets (in SIP's case this is udp, tcp, sctp and 
stun2) and makes an attempt to determine if that each packet is a SIP 
packet no matter what port it is on.  This is how it is finding SIP on 
other ports.


Steve