We have just ventured into wireshark. We notice the protocol field. How does wireshark determines the protocol is it based on the port number or level 3 protocol numbers? For instance DNS what does it look out for? asked 19 May '13, 01:25 newbie14 |
One Answer:
About the same way your system is recognizing which process to send the received packets to. First of wireshark read the link layer type from the interface it is capturing from. It then knows which protocol to use for the dissection of the first octets in the packet. Let's assume ethernet. Wireshark will dissect the destination and source mac address and then it will read the ethertype field (assuming it is a Ethernet-II frame, which is the most common). The ethertype will point to the protocol that was carried in the ethernet frame. Examples are 0x0806 for ARP or 0x0800 for IP. So assuming IP, wireshark will call the IP dissector passing along the payload from the ethernet frame. The IP dissector will dissect all the IP headers and will look at the "protocol" field to determine which dissector to pass the payload to. Examples are 1 for ICMP, 6 for TCP and 17 for UDP. Assuming UDP, the UDP dissector will dissect the UDP header and will look at the ports to determine which dissector it will send the payload to. Since there are two ports, wireshark has some rules to determine which port to follow. It will try to map a packet to a conversation. If a packet does not belong to a conversation, the destination port will be examined first as the biggest chance is that it is a request and then the destination port is linked to the protocol in use (yes, UDP and TCP dissectors will register themselves to port numbers). Sometimes dynamic dissecting is done by examining packets which will hint that a new session will arrive. Like the FTP PORT command will indicate that a new TCP session will be created which should be treated as FTP-DATA. So wireshark then adds a conversation with the ports from the port command to make sure the session will be interpreted as ftp-data. There are also hearistic dissectors. They will examine the payload of the packet to determine if the data matches its protocol specification, if so, it will dissect the packet. If not, it will tell Wireshark to try another dissector. So, wireshark uses a colelction of mechanisms to determine which protocol it should use to dissect the data. answered 19 May '13, 02:22 SYN-bit ♦♦ |
when you state this "It then knows which protocol to use for the dissection of the first octets in the packet." IS this protocol known or avaialable as open source? I can pretty much follow it from the level 3 once it determine the protocol it goes high to application level and try to determine the protocol if it fails then it shows the level 3 protocol? Am I right here? Is there any reference avaialable on how wireshark does its protocol dissection?
With "It then knows which protocol to use for the dissection of the first octets in the packet." I meant: If the interfaces link layer type is ethernet, then wireshark knows that it needs to start with the ethernet dissector. And if the link layer type was PPP, it knows it needs to start with the PPP dissector.
Yes, if wireshark can't determine how to dissect a certain payload, it will stop dissection there. So if the TCP dissector is not able to determine the type of payload, it will show up as data and the info column will display the TCP information instead of higher-layer information.
There is no reference on how wireshark does its protocol dissection. However, you might learn from the developer documentation or the source code of the dissector of interest :-)
@Syn-Bin I went to this link http://anonsvn.wireshark.org/viewvc/trunk/doc/packet-PROTOABBREV.c?revision=48861&view=markup is it the relevant code for protocol dissection ?