On Jun 21, 2016, at 2:17 AM, Rayne <hjazz6@xxxxxxxxx> wrote:
> I'm trying to follow the Wireshark source code to find out exactly how Wireshark determines that the layer above UDP or RTP is a T.38 payload.
>
> I assume that a heuristic dissector is used
Nope.
The RTP dissector gets a dissector handle for the T.38 dissector; that dissector is registered under the name "t38_udp".
If an RTP packet has a version number of 0, the RTP dissector assumes it's not RTP and, based on the setting of a preference for the RTP dissector, calls one of:
the STUN dissector;
the CLASSIC-STUN dissector;
the T.38 dissector;
the SPRT dissector;
the ZRTP dissector, if the packet has "ZRTP" in bytes 4-8.
In addition, the dissectors for some protocols used in call setup, such as SDP and H.245, can, if they see an indication that UDP traffic to and from some port will be T.38 traffic, arrange that said traffic will be dissected as T.38.
And, if all else fails, the user can use "Decode As..." (or its command-line equivalent) to specify that UDP traffic to or from a particular port be dissected as T.38.