On May 5, 2008, at 4:43 PM, Isara Anantavrasilp wrote:
So, you mean that when Wireshark tells me that packet X belongs to
protocol Y, it doesnt use just transportation port?
Correct. There are many protocols that run atop TCP or UDP that
aren't assigned to particular ports but that Wireshark needs to
identify in packets.
I suppose I should look at the Wireshark code then.
I hate to ask, but does anyone know where (roughly) these heuristics
are?
I believe they must be stored on some files, right?
The heuristics for a particular dissector are in the source code for
that dissector. Look for dissectors whose registration routine calls
heur_dissector_add().
The heuristics do *NOT* necessarily just look for a particular
"signature". Not all protocols have a simple "signature"; a heuristic
might check for packet lengths, the values of various fields, or both.