Wireshark · Wireshark-dev: Re: [Wireshark-dev] Protocol identification for msnms

Wireshark-dev: Re: [Wireshark-dev] Protocol identification for msnms

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>

Date: Tue, 12 Dec 2006 23:38:55 +0000

wireshark detects when msnms is transported atop HTTP by looking at
the content-type of the HTTP header.

If content-type is "application/x-msn-messenger" then the payload
inside the HTTP packet is deemed to be msnms.

see proto_reg_handoff_msnms() in packet-msn-messenger.c



On 12/12/06, Trivedi, Nirav <ntrivedi@xxxxxxxxx> wrote:

Applying the filter: msnms  filters out the MSNMS protocol messages
regardless of the port number being used.  How is this done?

Example: In cases where the port number is 80 instead of 1863 which is
the default for MSNMS(i.e. tunneling the MSNMS protocol through HTTP),
wireshark is still able to identify the protocol as MSNMS and not just
HTTP.  From a development standpoint, how is this identification made?
Is it a deep packet inspection looking for a particular pattern in the
application layer data?  If so, what pattern?  Thanks.

-Nirav Trivedi

Follow-Ups:
- Re: [Wireshark-dev] Protocol identification for msnms
  - From: Trivedi, Nirav

References:
- [Wireshark-dev] Protocol identification for msnms
  - From: Trivedi, Nirav

Prev by Date: [Wireshark-dev] Protocol identification for msnms
Next by Date: [Wireshark-dev] Dificulties in dissecting some packets
Previous by thread: [Wireshark-dev] Protocol identification for msnms
Next by thread: Re: [Wireshark-dev] Protocol identification for msnms
Index(es):
- Date
- Thread