Wireshark-dev: Re: [Wireshark-dev] What kind of L7 protocols are dissected based on content ide
On Mar 2, 2009, at 12:46 AM, 王睿思 wrote:
for example: supposing an packet used the protocols:
"IP-TCP-RTSP", but when dissect how can the dissect_tcp() find its
subdissector is dissect_rtsp(), did it's based port identification or
content identification?
It depends on the protocol. In the case of RTSP, it's done by port
identification; the RTSP dissector registers with the TCP dissector
with two port numbers (defaulting to 554 and 8554).
Other dissectors register with various dissectors as "heuristic"
dissectors; the heuristic dissectors get called, one after another,
and each of them checks the beginning of the data in the packet to see
if the packet looks as if it's a packet for their protocol - if it is,
they dissect the packet and return TRUE, so that none of the other
heuristic dissectors get called, otherwise they stop looking at the
packet data and return FALSE.
Besides, is there any method to know the data type in the
application layer?(e.g. if we could find the payload of RTSP is audio
or video and so on)
That depends on the protocol. The payload of RTSP is an RTSP message;
that message might include a Content-Type: header that indicates what
the payload type for the message being set up is.