Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Because not all network protocols have a property in the protocol data, or in the protocol atop which the protocol in question runs, that allows it to be uniquely identified as traffic for a given protocol. Therefore, Wireshark uses heuristics to try to identify the protocol as best as it can, but heuristics can guess incorrectly.

The current heuristic for Skype is "a UDP packet with 3 or more bytes, and with the lower 4 bits of the 3rd byte being one of 0x2, 0x3, 0x5, 0x7, 0xd, or 0xf, is assumed to be a Skype packet". That's a rather weak heuristic; perhaps it could be strengthened - the code has the comment "FIXME: Extend this by minimum or exact length per message type".