It is in fact a two-step procedure.
as you can see if you right-click on an SSDP packet in packet list and choose Decode as... in Wireshark 2.0.x, the criterion to choose the HTTP dissector is "UDP port 1900".
based on the HTTP payload contents, the HTTP dissector itself finds out that this particular packet is an SSDP one and marks it as such in the packet list pane. But here you have to look into the HTTP dissector code to find the exact criteria used.
Is it possible that another standard packet capture software detects these traffic as HTTP??
This detection is normally a matter of packet analysis part of any software. If you are looking for a capture filter limiting the capture to these packets, the right one in tcpdump notation (also used by the Wireshark suite) would be udp and port 1900. To reduce the amount of captured data, you might want to extend it with and host 239.0.0.0/8, i.e. to further limit the capture to the private IPv4 multicast range. The code performing further analysis would then have to find out by contents whether packets matching this condition can actually be dissected as HTTP/SSDP ones. Note that in the tcpdump capture filter syntax, the well-known services have got textual aliases for port numbers, so tcp and port http is actually equal to tcp and port 80.
answered 13 Mar '16, 09:26
sindy
6.0k●4●8●51
accept rate: 24%
I'm afraid you'll have to reword your question. Are you asking why the protocol name shown in the packet list is SSDP (and maybe how to change it to HTTP), or are you asking how does Wireshark know (i.e. what criteria it uses to determine) that it should dissect these packets as HTTP ones?
Hello.
You said my question in better words. In fact my question is;
how does Wireshark know (i.e. what criteria it uses to determine) that it should dissect these packets as SSDP ones??
Is it possible that another standard packet capture software detects these traffic as HTTP??
TNX.