Ask Your Question

I want to understand how Wireshark identifies the L7 applications correctly which are not running on standard port?

asked 2018-08-14 08:32:15 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I want to understand how Wireshark identifies the L7 applications correctly? I had my web server listening to port 8888, and I did wget http:server:8888 and got response. Wireshark correctly identified the application as http. How this is achieved?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-08-14 09:03:55 +0000

grahamb gravatar image

Heuristic dissectors.

A heuristic dissector, such as http, registers for all TCP traffic, and if there no dissector has registered for the port the traffic has been received on, then the TCP dissector calls each heuristic dissector in turn, and each dissector inspects the traffic and decides if it "looks right", and if so dissects it, else declines and passes the opportunity to the next dissector.

See README.heuristic for more info.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-08-14 08:32:15 +0000

Seen: 333 times

Last updated: Aug 14 '18