wireshark detects when msnms is transported atop HTTP by looking at
the content-type of the HTTP header.
If content-type is "application/x-msn-messenger" then the payload
inside the HTTP packet is deemed to be msnms.
see proto_reg_handoff_msnms() in packet-msn-messenger.c
On 12/12/06, Trivedi, Nirav <ntrivedi@xxxxxxxxx> wrote:
Applying the filter: msnms filters out the MSNMS protocol messages
regardless of the port number being used. How is this done?
Example: In cases where the port number is 80 instead of 1863 which is
the default for MSNMS(i.e. tunneling the MSNMS protocol through HTTP),
wireshark is still able to identify the protocol as MSNMS and not just
HTTP. From a development standpoint, how is this identification made?
Is it a deep packet inspection looking for a particular pattern in the
application layer data? If so, what pattern? Thanks.
-Nirav Trivedi