Wireshark-dev: Re: [Wireshark-dev] What kind of L7 protocols are dissected based on content ide

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 2 Mar 2009 09:55:46 -0800

On Mar 2, 2009, at 12:46 AM, 王睿思 wrote:

  for example: supposing an  packet used the protocols:
"IP-TCP-RTSP",  but when dissect how can the dissect_tcp() find its
subdissector is dissect_rtsp(), did it's based port identification or
content identification?

It depends on the protocol. In the case of RTSP, it's done by port identification; the RTSP dissector registers with the TCP dissector with two port numbers (defaulting to 554 and 8554).

Other dissectors register with various dissectors as "heuristic" dissectors; the heuristic dissectors get called, one after another, and each of them checks the beginning of the data in the packet to see if the packet looks as if it's a packet for their protocol - if it is, they dissect the packet and return TRUE, so that none of the other heuristic dissectors get called, otherwise they stop looking at the packet data and return FALSE.

 Besides, is there any method to know the data type in the
application layer?(e.g. if we could find the payload of RTSP is audio
or video and so on)

That depends on the protocol. The payload of RTSP is an RTSP message; that message might include a Content-Type: header that indicates what the payload type for the message being set up is.