On Jul 14, 2009, at 5:59 AM, Selçuk Cevher wrote:
Does Wireshark's TCP plugin only use port numbers
No.
or some other additional mechanisms
Yes.
to identify the application layer traffic ?
...
If it uses other mechanisms for traffic identification, what are
these ?
The only other such mechanisms would be
1) let additional ports be specified by the user of Wireshark;
2) use earlier packets in the capture, which set up a future session,
and which specify the protocol to be used;
3) try to guess the protocol based on the packet contents.
1) is supported by some dissectors, as well as by the "Decode As" menu
item.
2) is supported by some dissectors - it's mainly used for RTP
sessions, with earlier "call setup"/"session setup" packets for SIP,
etc..
3) is supported by some dissectors - the TCP dissector (and some other
dissectors) allow you to specify a "heuristic" dissector, which can
look at the data in the packet and either accept the packet (and
dissect it) or reject the packet (so some other dissector can dissect
it).
For example, in case of POP3 and SMTP, Is Wireshark capable of
identifying the POP3 or SMTP traffic even if a mail client uses a
server connection port other than 110 for POP3 and 25 for SMTP.
To some degree.
The POP3 dissector will recognize POP3-over-SSL on port 995, and, with
"Decode As", could be used to dissect traffic on other ports.
The SMTP dissector will handle ports 25 and 587, and, with "Decode
As", could be used to dissect traffic on other ports.
Neither of them currently have heuristic dissectors.