Ask Your Question
0

how Wireshark determines the protocol of each packet or flow when decoding a given pcap file.

asked 2025-03-31 06:40:46 +0000

brave1094 gravatar image

Dear Wireshark Team,

We are currently conducting research focused on analyzing various types of application traffic and malicious traffic, with the goal of classifying them using deep learning techniques.

In this process, Wireshark has been an invaluable tool and is widely used in our research.

The reason I am reaching out via email is to ask about how Wireshark determines the protocol of each packet or flow when decoding a given pcap file.

From our observations, it seems that the protocol is often determined based on the port number. However, we would greatly appreciate a more objective explanation or documentation regarding the actual rules or logic used by Wireshark for protocol decoding.

A detailed explanation would be extremely helpful for our research.

Thank you very much for taking the time to read this email despite your busy schedule.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-03-31 10:22:32 +0000

Anders gravatar image

It depends on the protocol. As an example ethernet has an ethertype field which indicate the next protocol. This is not 100% as unregistered ethertypes can be used or hijaced by other protocols. IP has a protocol field indicating the next protocol. UDP and TCP does not indicate the next protocol but IANA has a port Registry for well-known ports. In all these cases wireshark offers to configure a different protocol than the standard one or in case of unregistered values define a protocol. Wireshark also have heuristic functions which tries to determine the actual protocol by reading a number of bytes.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2025-03-31 06:40:46 +0000

Seen: 21 times

Last updated: 2 days ago

Related questions

How to capture UDP traffic and not NBNS traffic?

No HTTP protocols in scan results

How to observe Message Session Relay Protocol packets

Seeking explanation on bytes count in 'Protocol hierarchy'

How to determine which processes are sending CLDAP Protocol to DST Port 389

How to decode a protocol that wireshark doesn't recognize?

Query spec version roadmap for some 5G and LTE protocols

Malformed S1AP NAS-PDU

how can i add additional preferences for some protocols programmically?

How can I edit or expand a protocol like `bitcoin`