Wireshark-users: Re: [Wireshark-users] Protocol analisys

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 03 Jul 2008 12:32:11 -0700
Sipos Csaba wrote:

I want to make TC scripts for traffic control and shaping, so I would
like to know how wireshark identifies various protocols (like SSH,
HTTP, ftp command and data etc.) either if the server uses non standard
ports.

SSH: it doesn't identify SSH on ports other than 22; if a user wants to dissect SSH traffic on other ports, they'll have to manually specify the traffic with "Decode As".

HTTP: the HTTP dissector registers, in addition to port 80, ports 3128 and 3132 (for proxies), port 8080, and some other known ports for HTTP. There's a preference that gives a comma-separated list of ports; you can add ports to that list. In addition, some protocols that are implemented atop HTTP can make their port number dissected as HTTP and then hand off the traffic to the dissector (e.g., IPP). "Decode As" can also be used.

FTP command: it doesn't identify FTP command traffic on ports other than 21.

FTP data: it identifies FTP data traffic on port 20, and also looks at PORT and PASV requests, if they're captured.