Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Differentiating different protocols in UDP packet

From: Anders Broman <a.broman () bredband net>
Date: Thu, 24 Feb 2011 08:14:20 +0100
Vinay Kumar L skrev 2011-02-24 07:14:

Hi All,
I have a doubt regarding differentiating different protocols in UDP packet by wireshark. Protocols like DNS, RTP....etc uses UDP, so after UDP header the corresponding headers(DNS, RTP...etc)appears in Wireshark capture. How does the Wireshark determines particular protocol headers after UDP header in UDP packet as the packet contains bulk of data(headers, payload) after UDP header? Does each protocol have specific id for identification? If yes, which part of header contains that id field? 
Please guide me.

Thanks and Best Regards,
Vinay
The basic mechanism is that UDP dissector has an uint dissector table where protocol dissectors can register by port normally the "well known" or "registered" port many dissectors also has a preference setting for the port(s) to register with. Obviously this can lead to that packets for one protocol may be (miss)interpreted as a different one. Secondly there is a heuristics dissector table where dissectors can register, dissectors in that table will be called one by one and the dissector tries to determine whether the packet belongs to it or not, if not it returns FALSE and 
the next dissector in turn is tried, this isn't fail safe either.
Thirdly if a control protocol is used to set up the UDP stream (i.e. RTP) a conversation can be set up, with a conversation dissector and all packets in that conversation ( source/destination IP/port pair) will then be handed to the conversation dissector.
In short there is no fail safe way to determine what protocol is running on top of UDP, you will have to know something about the environment your trace is taken in such as which ports are used by the protocols if the standard ports isn't used. 
Regards
Anders



___________________________________________________________________________
Sent via:    Wireshark-users mailing list<wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
              mailto:wireshark-users-request () wireshark org?subject=unsubscribe



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: