Ask Your Question
0

How do I know what the upper layer protocol is above TCP or UDP?

asked 2020-11-20 07:17:40 +0000

updated 2020-11-20 08:52:29 +0000

Guy Harris gravatar image

In an Ethernet Frame, the ethertype specifies the upper layer. The IP will specify protocol layer above. Let's say you have TCP layer, and then some traffic on a "random port" 8080. It could be HTTP, or it could not be since it is not a registered port. Same with UDP protocol. You just know which port you are going to, but that doesn't guarantee the protocol for decoding.

What is the algorithm wireshark uses to know what the next protocol is to decode? You can run HTTP protocol on any other port. I assume WireShark will decode it properly, but is it just port numbers used to decode layers above UDP/TCP or what? There are ports that are used by multiple protocols so somehow WireShark would have to decide how to decode it properly.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2020-11-20 09:10:20 +0000

grahamb gravatar image

Most dissectors that run on tcp or udp explicitly register their association on specific ports, usually those registered with IANA or commonly used in practice and some dissectors have preference settings to allow ports (or a range) to be specified.

The association can be overridden by a user with the "Decode As ..." option.

Other dissectors are heuristic, in that they will inspect a number of octets in the data and determine if this is "their" protocol. Options exist to allow heuristic dissectors first run at data, rather than registered ones (tcp\udp; "Try heuristic dissectors first"). Heuristic dissectors can be fooled and wrongly dissect traffic that isn't "theirs", that's why the option to try them first is off by default.

The default port range for the HTTP dissector is 80,3128,3132,5985,8080,8088,11371,1900,2869,2710

edit flag offensive delete link more

Comments

The protocol are custom that run directly over TCP/UDP so they aren't registered with IANA and use dynamic port selection and does overlap with some of the HTTP ports you listed even to it isn't HTTP traffic. I'll ponder on what you said and try to figure the best way to go about it. Thank you very much.

mrhee2u gravatar imagemrhee2u ( 2020-11-20 09:36:54 +0000 )edit

The http dissector exposes those ports as a preference so the overlap could be eliminated (and that setting held in a profile), but all users would have to do that. Similarly you could disable the http dissector in a profile.

grahamb gravatar imagegrahamb ( 2020-11-20 09:40:23 +0000 )edit

Where in the source code would I be able to look at the entirety of what is currently mapped in the WireShark code? or do I need to go through each dissector?

mrhee2u gravatar imagemrhee2u ( 2020-11-20 09:40:36 +0000 )edit

The info is visible in the UI, View -> Internals -> Dissector Tables, then look at tcp.port and udp.port. I don't think there is a way to dump them out with tshark, the -G dissector-tables option just lists the tables, not their contents. The default info is in each dissector where it registers with the tcp\udp dissector table, look for dissector_add_uint_with_preference("tcp.port", ... and similar for "udp.port".

If an answer has solved your issue, please indicate the most appropriate one by clicking the checkmark icon to the left of it.

grahamb gravatar imagegrahamb ( 2020-11-20 09:48:02 +0000 )edit
0

answered 2020-11-20 08:52:00 +0000

Guy Harris gravatar image

What is the algorithm wireshark uses to know what the next protocol is to decode?

It's a combination of testing the port numbers of the endpoints and looking at the packet data to see what it looks like.

I assume WireShark will decode it properly

There's no guarantee of that. If, for the protocol in question, there's a "heuristic dissector", which looks at the packet data, then, if the data matches what the heuristic dissector is expecting, it'll be dissected properly if neither a by-port-number match succeeds first or another heuristic dissector match succeeds first.

edit flag offensive delete link more
0

answered 2020-11-20 08:42:30 +0000

hugo.vanderkooij gravatar image

It depends on your configuration.

Edit => Preferences => Protocols. Then pick your protocol and see on which port(s) it will normally detect.

If you hit traffic on another port then it will not be decoded b default. However you can just right click on a relevant packet (SYN packets are not the best for this) and tell Wireshark to decode traffic on this port as the protocol you want.

If this hapens a lot I suggest you add the port to protocol settings. If it only happens once I wouldn't bother with that.

Regards, Hugo.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-11-20 07:17:40 +0000

Seen: 32 times

Last updated: Nov 20