does anybody know how wireshark identify p2p traffic? Port number? or payload checking? asked 11 Apr '11, 12:27  LeviVic |
One Answer:
The bittorrent dissector registers itself as a heuristic dissector to tcp. The heuristic works by first ensuring that the TCP payload is at least 20 bytes in length, that the first byte is equal to the value of 19 (0x13), and that the 19 bytes following that value are equal to the string, "BitTorrent protocol". If all of that is true, then the payload is assumed to be bittorrent traffic; otherwise, it's assumed not to be. answered 12 Apr '11, 12:16  cmaynard ♦♦ |
Thanks, you are quite right. How about other p2p protocols, dose wireshark has the ability detecting them?
Each p2p protocol would have to be checked individually.