Wireshark-dev: [Wireshark-dev] Protocol identification for msnms

From: "Trivedi, Nirav" <ntrivedi@xxxxxxxxx>
Date: Tue, 12 Dec 2006 18:15:41 -0500
Applying the filter: msnms  filters out the MSNMS protocol messages regardless of the port number being used.  How is this done? 
 
Example: In cases where the port number is 80 instead of 1863 which is the default for MSNMS(i.e. tunneling the MSNMS protocol through HTTP), wireshark is still able to identify the protocol as MSNMS and not just HTTP.  From a development standpoint, how is this identification made?  Is it a deep packet inspection looking for a particular pattern in the application layer data?  If so, what pattern?  Thanks.
 
-Nirav Trivedi