 | 1 | initial version |
What is the algorithm wireshark uses to know what the next protocol is to decode?
It's a combination of testing the port numbers of the endpoints and looking at the packet data to see what it looks like.
I assume WireShark will decode it properly
There's no guarantee of that. If, for the protocol in question, there's a "heuristic dissector", which looks at the packet data, then, if the data matches what the heuristic dissector is expecting, it'll be dissected properly if neither a by-port-number match succeeds first or another heuristic dissector match succeeds first.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
