First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

how does wireshark dissect the protocol above TCP?

  • retag add tags

In this packet:

No.     Time                          Source                Destination           Protocol Length Info
      5 2012-01-18 13:49:07.908220    10.46.206.14          10.46.212.81          FTP      65     Request: USER root

Frame 5: 65 bytes on wire (520 bits), 65 bytes captured (520 bits)
Ethernet II, Src: Wistron_31:77:41 (00:1f:16:31:77:41), Dst: Zte_03:da:35 (00:19:c6:03:da:35)
Internet Protocol Version 4, Src: 10.46.206.14, Dst: 10.46.212.81   
Transmission Control Protocol, Src Port: 56053, Dst Port: 21, Seq: 1, Ack: 22, Len: 11    
    Source Port: 56053
    Destination Port: 21
    [Stream index: 0]
    [TCP Segment Len: 11]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 12    (relative sequence number)]
    Acknowledgment number: 22    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window size value: 16419
    [Calculated window size: 65676]
    [Window size scaling factor: 4]
    Checksum: 0xb6e1 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
    TCP payload (11 bytes)
File Transfer Protocol (FTP)
    USER root\r\n
        Request command: USER
        Request arg: root

-----from TCP layer,there is no info indicate upper application is ftp,how does wireshark know it ,thanks

anshaohui's avatar
3
anshaohui
asked 2017-12-23 15:04:20 +0000
grahamb's avatar
23.8k
grahamb
updated 2017-12-24 12:13:38 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

Port number. Most dissectors running atop TCP register by an assigned or "known" port number.

grahamb's avatar
23.8k
grahamb
answered 2017-12-23 15:29:45 +0000
Jaap's avatar
13.7k
Jaap
updated 2017-12-24 14:22:13 +0000
edit flag offensive 0 remove flag delete link
more

Comments

See also https://blog.packet-foo.com/2015/01/d...

Jasper's avatar Jasper (2017-12-24 11:32:55 +0000) edit
more
  • delete

thanks for your response. I have some SMPP(short message peer to peer) capture files,with different tcp.port number.but wireshark could dissect them correctly, in wireshark-edit-preference,protocol SMPP,the port number setting is 0. is there other reason wireshark dissect it?

anshaohui's avatar anshaohui (2017-12-25 08:03:23 +0000) edit
more
  • delete

Note the "most" qualification in my answer.

SMPP registers as a "heuristic" dissector with both TCP and X.25 and as such, is called if the packet isn't "claimed" by another dissector. The TCP dissector has a preference setting to try heuristic dissectors first, before port registered dissectors.

grahamb's avatar grahamb (2017-12-26 14:17:24 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer