I watched in wireshark that there's no dedicated field to identify the application layer protocol,but how does wireshark do that?
Asked
Active
Viewed 6,531 times
2 Answers
1
Wireshark (libpcap) only knows the Ips, transport protocol (UDP/TCP) and the ports. With this info it try to decode the frames with a candidate protocol "decoder". Usually it make mistakes. If you want more accurately protocol identification you have to use a deep packet inspection analyzer. more info http://en.wikipedia.org/wiki/Deep_packet_inspection
Aitor Carrera
- 326
- 2
- 7
-
1Wireshark's [heuristics](http://en.wikipedia.org/wiki/Heuristic#Computer_science) are pretty good for popular protocols – Mike Pennington Apr 20 '11 at 12:48
-
Yeah how does wireshark's heuristics work?Simply by port number is far from good... – compile-fan Apr 20 '11 at 12:52
-
@compile-fan, heuristics by definition are not perfect; port-numbers are fine for 80-90% of use cases... so that's a good heuristic by my definition. If you want to make snarky comments about port-number heuristics, I will look forward to seeing your commits to improve them in the wireshark trunk. – Mike Pennington Apr 21 '11 at 15:50
0
This email list entry describes a bit about wireshark heuristics.
In short wireshark uses the port/protocol number as well as magic constants when available. The heuristics can also use special properties of the payload (in HTTP one could look for the strings GET/POST/... in the beginning of some traffic). The dissectors (as they are called) can also look at other packets in the traffic which is useful when some other application hi-jacks port 80, for instance Skype does this every now and then.
claj
- 5,172
- 2
- 27
- 30