Ask Your Question
0

How do I know what the upper layer protocol is above TCP or UDP?

asked 2020-11-20 07:17:40 +0000

mrhee2u gravatar image

updated 2020-11-20 08:52:29 +0000

Guy Harris gravatar image

In an Ethernet Frame, the ethertype specifies the upper layer. The IP will specify protocol layer above. Let's say you have TCP layer, and then some traffic on a "random port" 8080. It could be HTTP, or it could not be since it is not a registered port. Same with UDP protocol. You just know which port you are going to, but that doesn't guarantee the protocol for decoding.

What is the algorithm wireshark uses to know what the next protocol is to decode? You can run HTTP protocol on any other port. I assume WireShark will decode it properly, but is it just port numbers used to decode layers above UDP/TCP or what? There are ports that are used by multiple protocols so somehow WireShark would have to decide how to decode it properly.

edit retag flag offensive close merge delete
add a comment

3 Answers

Sort by ยป oldest newest most voted
0

answered 2020-11-20 09:10:20 +0000

grahamb gravatar image

Most dissectors that run on tcp or udp explicitly register their association on specific ports, usually those registered with IANA or commonly used in practice and some dissectors have preference settings to allow ports (or a range) to be specified.

The association can be overridden by a user with the "Decode As ..." option.

Other dissectors are heuristic, in that they will inspect a number of octets in the data and determine if this is "their" protocol. Options exist to allow heuristic dissectors first run at data, rather than registered ones (tcp\udp; "Try heuristic dissectors first"). Heuristic dissectors can be fooled and wrongly dissect traffic that isn't "theirs", that's why the option to try them first is off by default.

The default port range for the HTTP dissector is 80,3128,3132,5985,8080,8088,11371,1900,2869,2710

edit flag offensive delete link more

Comments

The protocol are custom that run directly over TCP/UDP so they aren't registered with IANA and use dynamic port selection and does overlap with some of the HTTP ports you listed even to it isn't HTTP traffic. I'll ponder on what you said and try to figure the best way to go about it. Thank you very much.

mrhee2u gravatar imagemrhee2u ( 2020-11-20 09:36:54 +0000 )edit

The http dissector exposes those ports as a preference so the overlap could be eliminated (and that setting held in a profile), but all users would have to do that. Similarly you could disable the http dissector in a profile.

grahamb gravatar imagegrahamb ( 2020-11-20 09:40:23 +0000 )edit

Where in the source code would I be able to look at the entirety of what is currently mapped in the WireShark code? or do I need to go through each dissector?

mrhee2u gravatar imagemrhee2u ( 2020-11-20 09:40:36 +0000 )edit

The info is visible in the UI, View -> Internals -> Dissector Tables, then look at tcp.port and udp.port. I don't think there is a way to dump them out with tshark, the -G dissector-tables option just lists the tables, not their contents. The default info is in each dissector where it registers with the tcp\udp dissector table, look for dissector_add_uint_with_preference("tcp.port", ... and similar for "udp.port".

If an answer has solved your issue, please indicate the most appropriate one by clicking the checkmark icon to the left of it.

grahamb gravatar imagegrahamb ( 2020-11-20 09:48:02 +0000 )edit
add a comment
0

answered 2020-11-20 08:52:00 +0000

Guy Harris gravatar image

What is the algorithm wireshark uses to know what the next protocol is to decode?

It's a combination of testing the port numbers of the endpoints and looking at the packet data to see what it looks like.

I assume WireShark will decode it properly

There's no guarantee of that. If, for the protocol in question, there's a "heuristic dissector", which looks at the packet data, then, if the data matches what the heuristic dissector is expecting, it'll be dissected properly if neither a by-port-number match succeeds first or another heuristic dissector match succeeds first.

edit flag offensive delete link more
add a comment
0

answered 2020-11-20 08:42:30 +0000

hugo.vanderkooij gravatar image

It depends on your configuration.

Edit => Preferences => Protocols. Then pick your protocol and see on which port(s) it will normally detect.

If you hit traffic on another port then it will not be decoded b default. However you can just right click on a relevant packet (SYN packets are not the best for this) and tell Wireshark to decode traffic on this port as the protocol you want.

If this hapens a lot I suggest you add the port to protocol settings. If it only happens once I wouldn't bother with that.

Regards, Hugo.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-11-20 07:17:40 +0000

Seen: 3,710 times

Last updated: Nov 20 '20

Related questions

How to get TLSv1.2 to decode

Problems decoding BLE capture from another Wireshark program

How to capture UDP traffic and not NBNS traffic?

Fix IPv6 identification for pflogs

No HTTP protocols in scan results

how to save a special values in tshark

How to observe Message Session Relay Protocol packets

Seeking explanation on bytes count in 'Protocol hierarchy'

how does wireshark calculate phi and psi angle decode values for beamforming Report

Wireshark 2.4.5 NFS v3 Write decoding

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2