Ask Your Question

Revision history [back]

how does wireshark dessect the protocol above TCP?

No. Time Source Destination Protocol Length Info 5 2012-01-18 13:49:07.908220 10.46.206.14 10.46.212.81 FTP 65 Request: USER root

Frame 5: 65 bytes on wire (520 bits), 65 bytes captured (520 bits) Ethernet II, Src: Wistron_31:77:41 (00:1f:16:31:77:41), Dst: Zte_03:da:35 (00:19:c6:03:da:35) Internet Protocol Version 4, Src: 10.46.206.14, Dst: 10.46.212.81

Transmission Control Protocol, Src Port: 56053, Dst Port: 21, Seq: 1, Ack: 22, Len: 11

Source Port: 56053
Destination Port: 21
[Stream index: 0]
[TCP Segment Len: 11]
Sequence number: 1    (relative sequence number)
[Next sequence number: 12    (relative sequence number)]
Acknowledgment number: 22    (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
Window size value: 16419
[Calculated window size: 65676]
[Window size scaling factor: 4]
Checksum: 0xb6e1 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
TCP payload (11 bytes)

File Transfer Protocol (FTP) USER root\r\n Request command: USER Request arg: root -----from TCP layer,there is no info indicate upper application is ftp,how does wireshark know it ,thanks

click to hide/show revision 2
None

updated 2017-12-23 17:51:51 +0000

Guy Harris gravatar image

how does wireshark dessect the protocol above TCP?

No. Time Source Destination Protocol Length Info 5 2012-01-18 13:49:07.908220 10.46.206.14 10.46.212.81 FTP 65 Request: USER root

Frame 5: 65 bytes on wire (520 bits), 65 bytes captured (520 bits)
Ethernet II, Src: Wistron_31:77:41 (00:1f:16:31:77:41), Dst: Zte_03:da:35 (00:19:c6:03:da:35)
Internet Protocol Version 4, Src: 10.46.206.14, Dst: 10.46.212.81
 
10.46.212.81

Transmission Control Protocol, Src Port: 56053, Dst Port: 21, Seq: 1, Ack: 22, Len: 11
 
11

    Source Port: 56053
 Destination Port: 21
 [Stream index: 0]
 [TCP Segment Len: 11]
 Sequence number: 1    (relative sequence number)
 [Next sequence number: 12    (relative sequence number)]
 Acknowledgment number: 22    (relative ack number)
 0101 .... = Header Length: 20 bytes (5)
 Flags: 0x018 (PSH, ACK)
 Window size value: 16419
 [Calculated window size: 65676]
 [Window size scaling factor: 4]
 Checksum: 0xb6e1 [unverified]
 [Checksum Status: Unverified]
 Urgent pointer: 0
 [SEQ/ACK analysis]
 TCP payload (11 bytes)

 
File Transfer Protocol (FTP)
    USER root\r\n
        Request command: USER
        Request arg: root

-----from TCP layer,there is no info indicate upper application is ftp,how does wireshark know it ,thanks

click to hide/show revision 3
None

updated 2017-12-23 17:52:36 +0000

Guy Harris gravatar image

how does wireshark dessect the protocol above TCP?

In this packet:

No.     Time                          Source                Destination           Protocol Length Info
       5 2012-01-18 13:49:07.908220    10.46.206.14          10.46.212.81          FTP      65     Request: USER root
 
root

Frame 5: 65 bytes on wire (520 bits), 65 bytes captured (520 bits)
Ethernet II, Src: Wistron_31:77:41 (00:1f:16:31:77:41), Dst: Zte_03:da:35 (00:19:c6:03:da:35)
Internet Protocol Version 4, Src: 10.46.206.14, Dst: 10.46.212.81
10.46.212.81   
Transmission Control Protocol, Src Port: 56053, Dst Port: 21, Seq: 1, Ack: 22, Len: 11
11    
    Source Port: 56053
    Destination Port: 21
    [Stream index: 0]
    [TCP Segment Len: 11]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 12    (relative sequence number)]
    Acknowledgment number: 22    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window size value: 16419
    [Calculated window size: 65676]
    [Window size scaling factor: 4]
    Checksum: 0xb6e1 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
    TCP payload (11 bytes)
File Transfer Protocol (FTP)
    USER root\r\n
        Request command: USER
        Request arg: root

 
-----from TCP layer,there is no info indicate upper application is ftp,how does wireshark know it ,thanks
click to hide/show revision 4
None

updated 2017-12-24 12:13:38 +0000

grahamb gravatar image

how does wireshark dessect the protocol above TCP?

In this packet:

No.     Time                          Source                Destination           Protocol Length Info
      5 2012-01-18 13:49:07.908220    10.46.206.14          10.46.212.81          FTP      65     Request: USER root

Frame 5: 65 bytes on wire (520 bits), 65 bytes captured (520 bits)
Ethernet II, Src: Wistron_31:77:41 (00:1f:16:31:77:41), Dst: Zte_03:da:35 (00:19:c6:03:da:35)
Internet Protocol Version 4, Src: 10.46.206.14, Dst: 10.46.212.81   
Transmission Control Protocol, Src Port: 56053, Dst Port: 21, Seq: 1, Ack: 22, Len: 11    
    Source Port: 56053
    Destination Port: 21
    [Stream index: 0]
    [TCP Segment Len: 11]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 12    (relative sequence number)]
    Acknowledgment number: 22    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window size value: 16419
    [Calculated window size: 65676]
    [Window size scaling factor: 4]
    Checksum: 0xb6e1 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
    TCP payload (11 bytes)
File Transfer Protocol (FTP)
    USER root\r\n
        Request command: USER
        Request arg: root

-----from TCP layer,there is no info indicate upper application is ftp,how does wireshark know it ,thanks

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2