 | 1 | initial version |
It depends on the protocol. As an example ethernet has an ethertype field which indicate the next protocol. This is not 100% as unregistered ethertypes can be used or hijaced by other protocols. IP has a protocol field indicating the next protocol. UDP and TCP does not indicate the next protocol but IANA has a port Registry for well-known ports. In all these cases wireshark offers to configure a different protocol than the standard one or in case of unregistered values define a protocol. Wireshark also have heuristic functions which tries to determine the actual protocol by reading a number of bytes.
