[Gilbert Ramirez <gram@xxxxxxxxxxxxxxx>]

In addition to relying on well-known ports (or other similar fields), Wireshark has the concept of a "heuristic decoder", where it tries to guess the protocol based on the content. Look for the word "heuristic" in the Wireshark documentation and source code to see examples.

Gilbert

On Mon, Mar 31, 2025 at 10:02 AM brave1094 <brave1094@xxxxxxxxxxx> wrote:

Dear Wireshark Team,

My name is Yoon-Seong Jang, a combined Master's and Ph.D. student at Korea University in the Republic of Korea.

We are currently conducting research focused on analyzing various types of application traffic and malicious traffic, with the goal of classifying them using deep learning techniques.

In this process, Wireshark has been an invaluable tool and is widely used in our research.

The reason I am reaching out via email is to ask about how Wireshark determines the protocol of each packet or flow when decoding a given pcap file.

From our observations, it seems that the protocol is often determined based on the port number. However, we would greatly appreciate a more objective explanation or documentation regarding the actual rules or logic used by Wireshark for protocol decoding.

A detailed explanation would be extremely helpful for our research.

Thank you very much for taking the time to read this email despite your busy schedule.

Sincerely,

Yoon-Seong Jang

_______________________________________________
Wireshark-dev mailing list -- wireshark-dev@xxxxxxxxxxxxx
To unsubscribe send an email to wireshark-dev-leave@xxxxxxxxxxxxx