Wireshark-users: Re: [Wireshark-users] Differentiating different protocols in UDP packet
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Anders Broman <a.broman@xxxxxxxxxxxx>
Date: Thu, 24 Feb 2011 08:14:20 +0100
Vinay Kumar L skrev 2011-02-24 07:14:
Hi All,

I have a doubt regarding differentiating different protocols in UDP packet by wireshark. Protocols like DNS, RTP....etc uses UDP, so after UDP header the corresponding headers(DNS, RTP...etc)appears in Wireshark capture. How does the Wireshark determines particular protocol headers after UDP header in UDP packet as the packet contains bulk of data(headers, payload) after UDP header? Does each protocol have specific id for identification? If yes, which part of header contains that id field?
Please guide me.

Thanks and Best Regards,
Vinay
 

    

    The basic mechanism is that UDP dissector has an uint dissector
    table where protocol dissectors can register by port

    normally the "well known" or "registered" port many dissectors also
    has a preference setting for the port(s) to

    register with. Obviously this can lead to that packets for one
    protocol may be (miss)interpreted as a different one.

    Secondly there is a heuristics dissector table where dissectors can
    register, dissectors in that table will be called one by one and the
    dissector tries to determine whether the packet belongs to it or
    not, if not it returns FALSE and

    the next dissector in turn is tried, this isn't fail safe either.

    Thirdly if a control protocol is used to set up the UDP stream (i.e.
    RTP) a conversation can be set up, with a conversation dissector and
    all packets in that conversation ( source/destination  IP/port pair)
    will then be handed to the conversation dissector.

    

    In short there is no fail safe way to determine what protocol is
    running on top of UDP, you will have to know

    something about the environment your trace is taken in such as which
    ports are used by the protocols if the standard ports isn't used.

    Regards

    Anders

    

      

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe