Wireshark-dev: Re: [Wireshark-dev] Google. summer of code 2013. New Export Objects in embedded

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 26 Apr 2013 15:23:11 -0400
On 04/26/13 15:02, Андрей Чебоксаров wrote:
Hi !

I am just wondering how Wireshark will define which frame belongs to
what protocol. As I understood we can figure out in the way the packet
is going to tc/udp port( or range of ports). But if the packet goes to
unknown port we can't realize that it belongs to our protocol, can we?

There are several ways Wireshark figures out what the "next" protocol to hand a frame to:

0) Based on the linktype in the PCAP file (or other assigned identifier in other files). This tells Wireshark the lowest-level protocol in the frame.

1) Protocol identifiers in the protocol (e.g., eth.type or ip.proto).

2) Other assigned identifiers (e.g., the TCP port or MIME types).

3) Preferences (e.g., the Diameter dissector allows the user to tell Wireshark which TCP and SCTP ports should be decoded as Diameter)

4) The Decode-As interface: the user can right-click on a packet and say "Decode this as [for example] Diameter"

5) Heuristics: the HTTP dissector, for example, registers to be given a chance to "claim" any TCP frames that haven't already been claimed. It does some heuristics to determine whether the packet "looks like" HTTP and if it does, it claims the frame and dissects it.

I think those are the major ones...