Ask Your Question

how does wireshark dissect the protocol above TCP?

asked 2017-12-23 15:04:20 +0000

anshaohui gravatar image

updated 2017-12-24 12:13:38 +0000

grahamb gravatar image

In this packet:

No.     Time                          Source                Destination           Protocol Length Info
      5 2012-01-18 13:49:07.908220          FTP      65     Request: USER root

Frame 5: 65 bytes on wire (520 bits), 65 bytes captured (520 bits)
Ethernet II, Src: Wistron_31:77:41 (00:1f:16:31:77:41), Dst: Zte_03:da:35 (00:19:c6:03:da:35)
Internet Protocol Version 4, Src:, Dst:   
Transmission Control Protocol, Src Port: 56053, Dst Port: 21, Seq: 1, Ack: 22, Len: 11    
    Source Port: 56053
    Destination Port: 21
    [Stream index: 0]
    [TCP Segment Len: 11]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 12    (relative sequence number)]
    Acknowledgment number: 22    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window size value: 16419
    [Calculated window size: 65676]
    [Window size scaling factor: 4]
    Checksum: 0xb6e1 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
    TCP payload (11 bytes)
File Transfer Protocol (FTP)
    USER root\r\n
        Request command: USER
        Request arg: root

-----from TCP layer,there is no info indicate upper application is ftp,how does wireshark know it ,thanks

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2017-12-23 15:29:45 +0000

grahamb gravatar image

updated 2017-12-24 14:22:13 +0000

Jaap gravatar image

Port number. Most dissectors running atop TCP register by an assigned or "known" port number.

edit flag offensive delete link more


Jasper gravatar imageJasper ( 2017-12-24 11:32:55 +0000 )edit

thanks for your response. I have some SMPP(short message peer to peer) capture files,with different tcp.port number.but wireshark could dissect them correctly, in wireshark-edit-preference,protocol SMPP,the port number setting is 0. is there other reason wireshark dissect it?

anshaohui gravatar imageanshaohui ( 2017-12-25 08:03:23 +0000 )edit

Note the "most" qualification in my answer.

SMPP registers as a "heuristic" dissector with both TCP and X.25 and as such, is called if the packet isn't "claimed" by another dissector. The TCP dissector has a preference setting to try heuristic dissectors first, before port registered dissectors.

grahamb gravatar imagegrahamb ( 2017-12-26 14:17:24 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-12-23 15:04:20 +0000

Seen: 624 times

Last updated: Dec 24 '17