On Mar 2, 2009, at 12:46 AM, 王睿思 wrote: > for example: supposing an packet used the protocols: > "IP-TCP-RTSP", but when dissect how can the dissect_tcp() find its > subdissector is dissect_rtsp(), did it's based port identification or > content identification?
It depends on the protocol. In the case of RTSP, it's done by port identification; the RTSP dissector registers with the TCP dissector with two port numbers (defaulting to 554 and 8554). Other dissectors register with various dissectors as "heuristic" dissectors; the heuristic dissectors get called, one after another, and each of them checks the beginning of the data in the packet to see if the packet looks as if it's a packet for their protocol - if it is, they dissect the packet and return TRUE, so that none of the other heuristic dissectors get called, otherwise they stop looking at the packet data and return FALSE. > Besides, is there any method to know the data type in the > application layer?(e.g. if we could find the payload of RTSP is audio > or video and so on) That depends on the protocol. The payload of RTSP is an RTSP message; that message might include a Content-Type: header that indicates what the payload type for the message being set up is. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
