I watched in wireshark that there's no dedicated field to identify the application layer protocol,but how does wireshark do that?
How to know the application layer protocol in TCP?
6.8k Views Asked by compile-fan At
2
There are 2 best solutions below
3
On
Wireshark (libpcap) only knows the Ips, transport protocol (UDP/TCP) and the ports. With this info it try to decode the frames with a candidate protocol "decoder". Usually it make mistakes. If you want more accurately protocol identification you have to use a deep packet inspection analyzer. more info http://en.wikipedia.org/wiki/Deep_packet_inspection
This email list entry describes a bit about wireshark heuristics.
In short wireshark uses the port/protocol number as well as magic constants when available. The heuristics can also use special properties of the payload (in HTTP one could look for the strings GET/POST/... in the beginning of some traffic). The dissectors (as they are called) can also look at other packets in the traffic which is useful when some other application hi-jacks port 80, for instance Skype does this every now and then.