On 04/26/13 15:02, Андрей Чебоксаров wrote:
Hi !
I am just wondering how Wireshark will define which frame belongs to
what protocol. As I understood we can figure out in the way the packet
is going to tc/udp port( or range of ports). But if the packet goes to
unknown port we can't realize that it belongs to our protocol, can we?
There are several ways Wireshark figures out what the "next" protocol to
hand a frame to:
0) Based on the linktype in the PCAP file (or other assigned identifier
in other files). This tells Wireshark the lowest-level protocol in the
frame.
1) Protocol identifiers in the protocol (e.g., eth.type or ip.proto).
2) Other assigned identifiers (e.g., the TCP port or MIME types).
3) Preferences (e.g., the Diameter dissector allows the user to tell
Wireshark which TCP and SCTP ports should be decoded as Diameter)
4) The Decode-As interface: the user can right-click on a packet and say
"Decode this as [for example] Diameter"
5) Heuristics: the HTTP dissector, for example, registers to be given a
chance to "claim" any TCP frames that haven't already been claimed. It
does some heuristics to determine whether the packet "looks like" HTTP
and if it does, it claims the frame and dissects it.
I think those are the major ones...