On Tue, Jun 02, 2009 at 05:44:45PM +0800, zhangchuangde@xxxxxxxxxxxxxxx wrote:
> I know when a tcp/udp/tls packet's port is 5060/5061, the protocol
> analyzer will dissect it into sip protocol.
> however, as the first packet in the accessory, its src port is 6304
> and dst port is 6090, and this packet is also dissected into sip
> protocol.how wireshark know this packet is a sip packet?
> can you tell me how and why? thanks a lot!
The SIP dissector not only registers itself on ports 5060 & 5061, but it
also registers itself as a heuristic dissector. A heuristic dissector
looks at all specified packets (in SIP's case this is udp, tcp, sctp and
stun2) and makes an attempt to determine if that each packet is a SIP
packet no matter what port it is on. This is how it is finding SIP on
other ports.
Steve